Please help me diagnose my BSOD

Danja · Jan 2, 2013

I recently started getting BSODs and I can't figure out why. They usually happen while I'm playing Skyrim, but I've had a couple where I left my PC on overnight and came back in the morning to a "Windows has recovered from an unexpected shutdown" message. I finally managed to grab my camera quickly enough to snap a shot last night:

I looked online and found it's usually a RAM or HDD error. I ran four passes of Memtest86+ and it detected no errors. I also ran Chkdsk on my SSD boot drive, my main 1 TB HDD, and my 2TB RAID media HDDs. Today there were no errors found, although it is worth noting that when I first ran Chkdsk 2 weeks ago when the BSODs began, the 1 TB drive showed a crap-ton of errors which were supposedly fixed. This greatly decreased the frequency of my BSODs, but did not eliminate them. I reran Chkdsk today and found no errors on any of the drives.

My video card is currently at stock clocks, and has been for months. When I started getting BSODs I lowered my CPU frequency from 3.8 gHz to 3.5; this had no effect on crashing.

What's my most likely culprit?

Silicon_Chef · Jan 2, 2013

From my own personal experiences it's usually a driver issue. Start retracing your steps as far as whet was the last thing you changed on your PC and go from there. I would update all the drivers for your PC including BIOS.

Demon10000 · Jan 2, 2013

If it's a driver, the mini-dump should be able to identify it. Upload the mini-dump, or look for an article on using Windbg to read the dump. It isn't that difficult if you feel like trying...

Danja · Jan 3, 2013

I feel like trying. When I first ran WinDbg, I got an error saying "Symbol search path is: *** Invalid ***".

I went to the Microsoft Symbol Download page and downloaded the "Windows 7 Service Pack 1 x64 retail symbols, all languages(File size: 287 MB)" package. I installed it to E:\Utilities\Microsoft\Symbols. I then set the _NT_SYMBOL_PATH environment variable to E:\Utilities\Microsoft\Symbols.

Now, when I open the minidump, I get the following:

Code:

Microsoft (R) Windows Debugger Version 6.2.9200.16384 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\010213-9734-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: E:\Utilities\Microsoft\Symbols
Executable search path is: 
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17944.amd64fre.win7sp1_gdr.120830-0333
Machine Name:
Kernel base = 0xfffff800`02e1e000 PsLoadedModuleList = 0xfffff800`03062670
Debug session time: Wed Jan  2 00:32:04.641 2013 (UTC - 8:00)
System Uptime: 3 days 10:26:51.518
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
..........................................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7A, {fffff6fc50023860, ffffffffc0000056, bc981880, fffff8a00470c000}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!KPRCB                                      ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!KPRCB                                      ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
Probably caused by : ntoskrnl.exe ( nt+7efc0 )

Followup: MachineOwner
---------

Did I download the wrong symbol package? What should I do?

Demon10000 · Jan 3, 2013

Code:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Wrong symbols; easy to do. I always set windbg up to use the symbols server. That way it just downloads what it needs and I don't have to worry about finding the right symbols for the specific dump I'm looking at.

Follow the article I linked and then try it again. You should get something a little bit different when you analyze it.

Danja · Jan 4, 2013

Thanks a lot! It turned out to be an Acronis driver. I recently reverted from Acronis to a simple Windows 7 backup without actually uninstalling Acronis and it didn't cross my mind that it could have caused a problem. Now I got that stuff uninstalled. Hopefully my BSODs will clear up.

Thanks for helping and educating me about debugging!

Danja · Feb 1, 2013

It's been a while since my last post and since then the problem has almost, but not completely, gone away. I analyzed my latest minidump and got the following:

Code:

Microsoft (R) Windows Debugger Version 6.2.9200.16384 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\013113-11965-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: symsrv*symsrv.dll*E:\Utilities\Microsoft\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17944.amd64fre.win7sp1_gdr.120830-0333
Machine Name:
Kernel base = 0xfffff800`02e60000 PsLoadedModuleList = 0xfffff800`030a4670
Debug session time: Thu Jan 31 19:58:31.331 2013 (UTC - 8:00)
System Uptime: 4 days 7:16:39.088
Loading Kernel Symbols
...............................................................
................................................................
...........................................................
Loading User Symbols
Loading unloaded module list
...........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7A, {fffff6fc40067d10, ffffffffc0000056, 7e248be0, fffff8800cfa2000}

Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+36bea )

Followup: MachineOwner
---------

4: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_DATA_INPAGE_ERROR (7a)
The requested page of kernel data could not be read in.  Typically caused by
a bad block in the paging file or disk controller error. Also see
KERNEL_STACK_INPAGE_ERROR.
If the error status is 0xC000000E, 0xC000009C, 0xC000009D or 0xC0000185,
it means the disk subsystem has experienced a failure.
If the error status is 0xC000009A, then it means the request failed because
a filesystem failed to make forward progress.
Arguments:
Arg1: fffff6fc40067d10, lock type that was held (value 1,2,3, or PTE address)
Arg2: ffffffffc0000056, error status (normally i/o status code)
Arg3: 000000007e248be0, current process (virtual address for lock type 3, or PTE)
Arg4: fffff8800cfa2000, virtual address that could not be in-paged (or PTE contents if arg1 is a PTE address)

Debugging Details:
------------------


ERROR_CODE: (NTSTATUS) 0xc0000056 - A non close operation has been requested of a file object with a delete pending.

BUGCHECK_STR:  0x7a_c0000056

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff80002f4c552 to fffff80002edefc0

STACK_TEXT:  
fffff880`039ee848 fffff800`02f4c552 : 00000000`0000007a fffff6fc`40067d10 ffffffff`c0000056 00000000`7e248be0 : nt!KeBugCheckEx
fffff880`039ee850 fffff800`02f05cbf : fffffa80`0e3a08b0 fffff880`039ee9c0 fffff800`03111540 fffffa80`0e3a08b0 : nt! ?? ::FNODOBFM::`string'+0x36bea
fffff880`039ee930 fffff800`02eec589 : 00000000`00000000 00000000`00000001 ffffffff`ffffffff fffff800`02efdbe3 : nt!MiIssueHardFault+0x28b
fffff880`039eea00 fffff800`02f12a64 : 00000000`00000001 fffff880`0cfa2000 fffffa80`05510000 fffff6fc`40067ce8 : nt!MmAccessFault+0x1399
fffff880`039eeb60 fffff800`02f12c54 : fffffa80`0e0627f0 00000000`00000001 fffffa80`00000000 fffff800`02f0fa9b : nt!MiInPageSingleKernelStack+0x134
fffff880`039eec70 fffff800`02f12bef : 00000000`00000000 00000000`00000001 fffffa80`05510040 00000000`00000080 : nt!MmInPageKernelStack+0x40
fffff880`039eecd0 fffff800`02f12928 : 00000000`00000000 00000000`00000000 fffffa80`05510000 fffffa80`05510000 : nt!KiInSwapKernelStacks+0x1f
fffff880`039eed00 fffff800`03175e5a : 5a385a38`fa57fa57 9c8b9c8b`dd12dd12 813c813c`d3f6d3f6 779c779c`a016a016 : nt!KeSwapProcessOrStack+0x84
fffff880`039eed40 fffff800`02ecfd26 : fffff880`009b2180 fffffa80`055335e0 fffff880`009bd0c0 779c779c`a016a016 : nt!PspSystemThreadStartup+0x5a
fffff880`039eed80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt! ?? ::FNODOBFM::`string'+36bea
fffff800`02f4c552 cc              int     3

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt! ?? ::FNODOBFM::`string'+36bea

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  503f82be

FAILURE_BUCKET_ID:  X64_0x7a_c0000056_nt!_??_::FNODOBFM::_string_+36bea

BUCKET_ID:  X64_0x7a_c0000056_nt!_??_::FNODOBFM::_string_+36bea

Followup: MachineOwner
---------

It looks to me like a memory problem but I ran Memtest and it doesn't show anything wrong. Could there be another explanation?

Please help me diagnose my BSOD

Danja

Limp Gawd

Silicon_Chef

Weaksauce

Demon10000

Supreme [H]ardness

Danja

Limp Gawd

Demon10000

Supreme [H]ardness

Danja

Limp Gawd

Danja

Limp Gawd