Vista BSOD - HELP please!!

MrJubbly · 8 Apr 2008 at 22:43

Hi,

I've been running Vista Ultimate 64 bit for about 6 months now and for the most part it has been very stable. Over the weekend though I had an install/unstall issue with Adobe Acrobat reader, during which I did get a BSOD specifying:

PAGE_FAULT_IN_NONPAGED_AREA

At the time I thought nothing of it, as all seemed okay after resolving the install/uninstall issue above. That was until this evening. Now when I boot up the system I get this error every time after logging on. somtimes it takes 30 seconds, others a couple of minutes. If I boot in safemode the problem does not occur. If I logon as another user the problem still occurs.

I have also booted from the Windows disk and tried restoring the system back to a time before the weekend. The restore worked but still getting the BSOD. Have run OS memory diagnostic and no errors are reported.

I'm pretty much a PC novice and am not sure what my next steps should be, so would appreciate anyones help/guidance on this.

Thanks

Jubbly

MrJubbly · 8 Apr 2008 at 23:24

I've just done a search on this site (yes I know I should have done that first - sorry) and found the following:

http://forums.overclockers.co.uk/showthread.php?t=17785127&highlight=page_fault

The snapshot of the BSOD in post #14 is indentical to what I'm getting. By the sounds of it the problem for the guy in the above post turned out to be RAM and Volts setting. I'm not sure if my circumstances are the same, given that I have been running on 2GB since build, and 4GB since the end of Feb with no probs.

If I do have a RAM problem is it feasible that the RAM could just go, just like that? How do I got about proving it is faulty, and how do I set the voltages (if it is that)?

Sorry, asking more questions now - this is all new ground for me.

Cheers,

Jubbly

RobH · 9 Apr 2008 at 01:08

Your best bet is to download a program called memtest86 which is a bootable ISO image that you burn to a CD. You then boot off the CD and you can run tests on your memory, it will tell you if there are any errors during reading/writing to the memory. If it does find errors then you'll need to start pulling out sticks until they disappear so you can identify the faulty module.

Memory errors can also be related to voltage as you suggested, you can normally change the voltage in the BIOS, sometimes labelled as VDIMM. Some BIOS's allow you to set a voltage, others allow you to do 0.1v increments so you'll have to have a look. Check the specification of your memory because you don't want to damage it, for example the poular GeIL Ultra Low Latency stuff OcUK sell is rated a 2.1 volts which is higher than standard.

MrJubbly · 9 Apr 2008 at 20:26

Thanks RobH,

RobH said:
Your best bet is to download a program called memtest86 which is a bootable ISO image that you burn to a CD. You then boot off the CD and you can run tests on your memory, it will tell you if there are any errors during reading/writing to the memory. If it does find errors then you'll need to start pulling out sticks until they disappear so you can identify the faulty module.

Not sure if I can burn the ISO myself, so I've got a friend burning me a copy tonight in case I can't do it this evening.

RobH said:
Memory errors can also be related to voltage as you suggested, you can normally change the voltage in the BIOS, sometimes labelled as VDIMM. Some BIOS's allow you to set a voltage, others allow you to do 0.1v increments so you'll have to have a look. Check the specification of your memory because you don't want to damage it, for example the poular GeIL Ultra Low Latency stuff OcUK sell is rated a 2.1 volts which is higher than standard.

I actually have the GeIL Ultra Low Latency and have set it to 2.1 volts this evening, but this made no difference.

One thing I did notice this evening, when testing the voltage change, is that once Vista fires up, for the few second/minutes before the BSOD, the CPU and HDD are very busy for a system which should be idling at that point. Under the 'Reliability and Performance Monitor' the CPU swings between 5% and 20%, and Disk shows MB's of data being shipped per second with a Highest Active Time in the high 90s (%). What's all this about?

I'm in Safemode at the momment (which is perfectly stable) and wondered if there is anything else I can do by way of further analysis/investigation for this problem, in addition running memtest86?

Cheers,

Jubbly

Una · 9 Apr 2008 at 20:45

RobH said:
Your best bet is to download a program called memtest86 which is a bootable ISO image that you burn to a CD. You then boot off the CD and you can run tests on your memory, it will tell you if there are any errors during reading/writing to the memory. If it does find errors then you'll need to start pulling out sticks until they disappear so you can identify the faulty module.

Memory errors can also be related to voltage as you suggested, you can normally change the voltage in the BIOS, sometimes labelled as VDIMM. Some BIOS's allow you to set a voltage, others allow you to do 0.1v increments so you'll have to have a look. Check the specification of your memory because you don't want to damage it, for example the poular GeIL Ultra Low Latency stuff OcUK sell is rated a 2.1 volts which is higher than standard.

I can't see how it would have anything to do with that.... A PAGE_FAULT_IN_NONPAGED_AREA is when something tried to reference an address in kernel memory space which is flagged as a non-pageable address range. Most common reason for this is a driver dereferencing a bad pointer..

Without the proper full debug info I can't tell you anymore.

MrJubbly · 9 Apr 2008 at 20:58

Una said:
I can't see how it would have anything to do with that.... A PAGE_FAULT_IN_NONPAGED_AREA is when something tried to reference an address in kernel memory space which is flagged as a non-pageable address range. Most common reason for this is a driver dereferencing a bad pointer..

Without the proper full debug info I can't tell you anymore.

What debug info would you need, and how can I get it?

Cheers,

Jubbly

Una · 9 Apr 2008 at 21:09

MrJubbly said:
What debug info would you need, and how can I get it?

Cheers,

Jubbly

Ideally a minidump, though no guaratees I can work anything out for you (since I don't have a vista box here atm).

Edit: I guess you want to know how to do that as well :/ Right click my computer > properties > advanced > startup and recordery. Then you need to set it so it does small dumps and not automatically restart. It should then dump into the dir you have specified there (C:\windows\minidump on my system). Then get the latest one and you can upload it somewhere and someone might have an idea (or I might

) .

MrJubbly · 10 Apr 2008 at 08:00

Una said:
Ideally a minidump, though no guaratees I can work anything out for you (since I don't have a vista box here atm).

Edit: I guess you want to know how to do that as well :/ Right click my computer > properties > advanced > startup and recordery. Then you need to set it so it does small dumps and not automatically restart. It should then dump into the dir you have specified there (C:\windows\minidump on my system). Then get the latest one and you can upload it somewhere and someone might have an idea (or I might ) .

I'll try doing the minidump this evening (not sure how I can upload it for your perusal yet though?). In the meantime, I did manage to run Memtest86 last night. It ran for just over two hours and found no errors, so does this catagoricaly rule the memory out as being faulty?

Cheers,

Jubbly

Una · 10 Apr 2008 at 16:29

MrJubbly said:
I'll try doing the minidump this evening (not sure how I can upload it for your perusal yet though?). In the meantime, I did manage to run Memtest86 last night. It ran for just over two hours and found no errors, so does this catagoricaly rule the memory out as being faulty?

Cheers,

Jubbly

After the dump has completed, reboot.. then find the dump in the directory and upload it somewhere. You might have to copy it to usb or something in safemode then upload with another computer if you really can't access the file system without it bluescreening.

Its unlikely to be the memory I think - especially if that test is clear. Likely causes are new software installed/uninstalled or updates/security patched applied when it started happening.

Ethics · 10 Apr 2008 at 16:38

If it was after an adobe uninstall you can try something else quick and simple see if it fixes it, run msconfig from the run command, go to the startup tab and untick anything relating to adobe. This will stop any adobe programs from running at startup, you could also run services.msc and set any services t odo wit hadobe to manual/disabled (manual means it will only start the service when called specifically by an application, and since you have disabled them from startup any ones that shouldnt be starting, wont

Then reboot see if that helps

MrJubbly · 10 Apr 2008 at 22:59

Ethics said:
If it was after an adobe uninstall you can try something else quick and simple see if it fixes it, run msconfig from the run command, go to the startup tab and untick anything relating to adobe. This will stop any adobe programs from running at startup, you could also run services.msc and set any services t odo wit hadobe to manual/disabled (manual means it will only start the service when called specifically by an application, and since you have disabled them from startup any ones that shouldnt be starting, wont

Then reboot see if that helps

Ethics, thanks for the suggestion. I'd forgotton about this (I had used this feature with a problem install last year). I was hopeful it would work here, but alas no. I'll try producing the dump now as per Una's suggestion.

Thanks again,

Jubbly

MrJubbly · 10 Apr 2008 at 23:19

Una said:
After the dump has completed, reboot.. then find the dump in the directory and upload it somewhere. You might have to copy it to usb or something in safemode then upload with another computer if you really can't access the file system without it bluescreening.

Its unlikely to be the memory I think - especially if that test is clear. Likely causes are new software installed/uninstalled or updates/security patched applied when it started happening.

Una, sorry I can't seem to find how to set the system to produce minidumps. However, when I've been looking at 'Problem Reports and Solutions', after booting up after the BSOD, it shows that 3 files have been produced: Mini<mmddyy>-<count>, sysdata.xml and version.txt. Is this 'Mini' file of any use to you? If so how can I get it to you?

Regarding my last point about system activity after Vista starts (CPU and HDD activity). There appears to many iterations of svchost.exe running. Does this mean anything?

Cheers

Jubbly

Una · 11 Apr 2008 at 00:10

MrJubbly said:
Una, sorry I can't seem to find how to set the system to produce minidumps. However, when I've been looking at 'Problem Reports and Solutions', after booting up after the BSOD, it shows that 3 files have been produced: Mini<mmddyy>-<count>, sysdata.xml and version.txt. Is this 'Mini' file of any use to you?If so how can I get it to you?

Yeah the Mini<mmddyy>-<count> is what is useful. Either upload it somewhere on the web and post the link or drop me an email with it and ill see what I can do (Not promising ill be able to tell you anything useful though).

svchost.exe is service host - When services are implemented as dlls, its svchost.exe's job to load them. Now you should be able to see what services its doing with tasklist /svc (might be different on vista). It may well be that svchost is trying to load a service which is causing your BSOD...

MrJubbly · 11 Apr 2008 at 17:56

Una said:
Yeah the Mini<mmddyy>-<count> is what is useful. Either upload it somewhere on the web and post the link or drop me an email with it and ill see what I can do (Not promising ill be able to tell you anything useful though).QUOTE]

Una, happy to email you the dump, and appreciate that you can't promise anything. Any help at all though is much appreciated. I assume we don't publicise email addreses on the forum so how do I contact you?

In the meantime I'm trying to whittle down services to determine which one is causing my issue.

Cheers,

Jubbly

Una · 11 Apr 2008 at 20:30

MrJubbly said:
Yeah the Mini<mmddyy>-<count> is what is useful. Either upload it somewhere on the web and post the link or drop me an email with it and ill see what I can do (Not promising ill be able to tell you anything useful though).QUOTE]

Una, happy to email you the dump, and appreciate that you can't promise anything. Any help at all though is much appreciated. I assume we don't publicise email addreses on the forum so how do I contact you?

In the meantime I'm trying to whittle down services to determine which one is causing my issue.

Cheers,

Jubbly

My emails in trust on my profile.

MrJubbly · 11 Apr 2008 at 23:15

Una have sent you the DMP.

This evenining I have been working my way through the services. Started with just those services enabled that are started in Safe Mode. Then I've been viewing the details on those services I thought more likely to be the cause of my problem and denabling/starting them. In the end I have found that it is the following combination of Services that seem to cause my problem:

Windows Mudules Installer
Windows Update

If I re-enable ALL services on my system and just leave these two disabled, then my system is stable. I guess the reason my PC was failing every time at startup, was because it starts these services to perform a prelminary check for updates.

The problem I have now is knowing why these services are actually causing this problem and, more importantly, how I go about fixing it? Am I looking at an OS re-install? Comments anyone?

Cheers,

Jubbly

Una · 12 Apr 2008 at 13:57

What you should try now is try just enable one of the two services and see if the BSOD still occurs. If it does not you know which service is causing the problem and have narrowed it down further. Check your event logs as well, see if there is a problem with any services in there. Have you applied any patches recently, security/updates ones? Has it started occurring since then? You can keep those services disabled and manually update by just downloading the patches. It may well be a known issue MS are gonna patch soon.

What you have written actually agrees with what I could work out from that crash dump. From the mini dump alone it looks a service is calling KiSystemServiceCopyEnd, loading some registry keys, hiving the data and then trying to write to a non paged area cos of a bug in the code/memory corruption..

What follows is rather technical and you can just skip this bit. It might be that someone else knows the bits I am unclear about or could correct any mistakes.

I'm lacking symbols from the minidump so the callstack is harder to understand.. a full kernel crash dump might fix that..

Code:

FAULTING_IP: 
nt!memset+c2
fffff800`01cbf292 480fc351d8      movnti  qword ptr [rcx-28h],rdx

fffffa60`0929d3d8 fffff800`01ebd19f : 00000000`00001ce0 fffffa80`000e7020 00000000`000e8000 00000000`00000fe0 : nt!memset+0xc2

Destination - First arg = fffffa80`000e7020
Fill value - The second arg e8000h = 59392 – Weird fill value, but who's to say?
Length - Third arg = fe0 = 4064

Code:

STACK_TEXT:  
fffffa60`0929d148 fffff800`01cc9371 : 00000000`00000050 fffff880`0a51d000 00000000`00000001 fffffa60`0929d240 : nt!KeBugCheckEx
fffffa60`0929d150 fffff800`01cb8f19 : 00000000`00000001 fffff6fb`7e200290 00000000`00000000 00000000`00660074 : nt!MmAccessFault+0x1371
fffffa60`0929d240 fffff800`01cbf292 : fffff800`01ebd19f 00000000`00001ce0 fffffa80`000e7020 00000000`000e8000 : nt!KiPageFault+0x119
fffffa60`0929d3d8 fffff800`01ebd19f : 00000000`00001ce0 fffffa80`000e7020 00000000`000e8000 00000000`00000fe0 : nt!memset+0xc2
fffffa60`0929d3e0 fffff800`01ee815a : 00000000`00000000 00000000`00a3d000 fffff880`0a449010 00000000`00010282 : nt! ?? ::NNGAKEGL::`string'+0x12e8e
fffffa60`0929d430 fffff800`01f8b45d : 00000000`00000000 00000000`00000000 00000000`00570000 fffff880`0a51c000 : nt!HvpEnlistBinInMap+0xfe
fffffa60`0929d470 fffff800`01ee93b6 : fffff880`0a449010 00000000`00a3d000 fffff880`000e9000 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x34494
fffffa60`0929d4f0 fffff800`01ee8a93 : 00000000`00000001 00000000`00a40000 fffff880`0a310000 01c88dd7`b1db4ee0 : nt!HvLoadHive+0xce
fffffa60`0929d540 fffff800`01ee8f58 : 00000000`00000000 00000000`00000002 00000000`00000002 fffffa60`0929d6f8 : nt!HvInitializeHive+0x253
fffffa60`0929d590 fffff800`01ee86fc : fffffa60`0929d6f0 ffffffff`80000604 ffffffff`00000000 fffffa60`0929da40 : nt!CmpInitializeHive+0x438
fffffa60`0929d680 fffff800`01ee9274 : 00000000`00000000 fffffa60`00000000 fffffa60`0929d828 fffffa60`0929d821 : nt!CmpInitHiveFromFile+0x1d0
fffffa60`0929d760 fffff800`020a2acf : 00000000`00000000 00000000`00000000 00000000`00000000 fffff800`01d98105 : nt!CmpCmdHiveOpen+0x70
fffffa60`0929d7e0 fffff800`020a3c0f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : nt!CmLoadKey+0x4af
fffffa60`0929d9a0 fffff800`020a3e84 : fffff880`08f2e3f0 00000000`020de798 00000000`00000000 00000000`00000000 : nt!NtLoadKeyEx+0x75d
fffffa60`0929dbd0 fffff800`01cb9e33 : fffffa80`05014060 fffffa60`0929dca0 00000000`020de748 fffffa80`06965750 : nt!NtLoadKey+0x24
fffffa60`0929dc20 00000000`7745684a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`020de698 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7745684a

nt! ?? ::NNGAKEGL::`string'+0x12e8e – Not sure about this, think its because I'm missing the symbols for it.

00000000`020de698 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7745684a – What's calling KiSystemServiceCopyEnd? < Whatever this is then its likely the service which is causing you problems.

I'm pretty new to windows internals, more a unix coder.

MrJubbly · 12 Apr 2008 at 20:31

Una said:
I'm pretty new to windows internals, more a unix coder.

That's not bad for soemone who is new to windows

. Seriously though, thanks for going out of your way to look at this.

The two services mentioned seem to be interelated. If I start them, after the system has started then the system doesn't crash.

If I then do a 'check for updates' and then an 'install updates', the system crashes with the usual error. I have then tried just selecting certain updates to install. So far the non-OS updates seem to install okay. All the OS related ones however cause the BSOD.

If I have the two services enabled at startup, following the BSOD generated after a failed install, the system will crash soon after startup, as reported in my opening post.

Looks like I'm going to have to re-install the OS to fix this one, unless anyone has got any more ideas. I've been all over the MS knowledge base and haven't come up with anything yet.

Cheers,

Jubbly