- Oct 4, 2018
- 5
- 0
- 10
Hi Everyone,
I have multiple Dell 990, Windows 7 computers BSOD'ing. If you read the dump files in WinDbg...it only talks about:
epda.exe
vnwcd.sys
edpa.exe is a Data Loss Prevention software that runs in the background.
vnwcd.sys is a driver for the program.
However if you put the .dmp's in BlueScreenView...they all say the faulting driver is:
ntoskrnl.exe
I read somewhere that sometimes a Blue Screen can be blamed on ntoskrnl.exe when it is actually a different driver. I am in kind of a standoff with people trying to find what to blame. Would anyone want to read the .dmp file below and maybe see what they can determine? Thanks!
____
.dmp file below
____
Microsoft (R) Windows Debugger Version 10.0.17763.132 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\schmikr1\Desktop\FTIR Crash Dumps 2019\021819-7472-01 - Copy.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24335.amd64fre.win7sp1_ldr_escrow.181228-0954
Machine Name:
Kernel base = 0xfffff800
Debug session time: Mon Feb 18 16:02:27.797 2019 (UTC - 6:00)
System Uptime: 0 days 0:38:23.624
Loading Kernel Symbols
...............................................................
................................................................
.......................................
Loading User Symbols
Loading unloaded module list
.....
***
Use !analyze -v to get detailed debugging information.
BugCheck 50, {fffffef0fd000000, 0, fffff88000e6c926, 7}
*** WARNING: Unable to verify timestamp for vnwcd.sys
*** ERROR: Module load completed but symbols could not be loaded for vnwcd.sys
Could not read faulting driver name
Probably caused by : vnwcd.sys ( vnwcd+32bd )
Followup: MachineOwner
---------
5: kd> !analyze -v
***
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fffffef0fd000000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff88000e6c926, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000007, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 400
BUILD_VERSION_STRING: 7601.24335.amd64fre.win7sp1_ldr_escrow.181228-0954
SYSTEM_MANUFACTURER: Dell Inc.
SYSTEM_PRODUCT_NAME: OptiPlex 990
SYSTEM_VERSION: 01
BIOS_VENDOR: Dell Inc.
BIOS_VERSION: A10
BIOS_DATE: 11/24/2011
BASEBOARD_MANUFACTURER: Dell Inc.
BASEBOARD_PRODUCT: 0VNP2H
BASEBOARD_VERSION: A00
DUMP_TYPE: 2
BUGCHECK_P1: fffffef0fd000000
BUGCHECK_P2: 0
BUGCHECK_P3: fffff88000e6c926
BUGCHECK_P4: 7
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800030f8100
Unable to get MmSystemRangeStart
GetUlongPtrFromAddress: unable to read from fffff800030f82f0
GetUlongPtrFromAddress: unable to read from fffff800030f84a8
GetPointerFromAddress: unable to read from fffff800030f80d8
fffffef0fd000000 Nonpaged pool
FAULTING_IP:
Wdf01000!imp_WdfSpinLockAcquire+6a
fffff880
fffff880
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: vnwcd+32bd
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: vnwcd
IMAGE_NAME: vnwcd.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 597b0106
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: X64_0x50_vnwcd+32bd
BUCKET_ID: X64_0x50_vnwcd+32bd
PRIMARY_PROBLEM_CLASS: X64_0x50_vnwcd+32bd
TARGET_TIME: 2019-02-18T22:02:27.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2018-12-28 13:28:56
BUILDDATESTAMP_STR: 181228-0954
BUILDLAB_STR: win7sp1_ldr_escrow
BUILDOSVER_STR: 6.1.7601.24335.amd64fre.win7sp1_ldr_escrow.181228-0954
ANALYSIS_SESSION_ELAPSED_TIME: 8c1
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x50_vnwcd+32bd
FAILURE_ID_HASH: {b57a787b-b292-0802-66a4-e7bdf347ae0c}
Followup: MachineOwner
---------
5: kd> .bugcheck
Bugcheck code 00000050
Arguments fffffef0
I have multiple Dell 990, Windows 7 computers BSOD'ing. If you read the dump files in WinDbg...it only talks about:
epda.exe
vnwcd.sys
edpa.exe is a Data Loss Prevention software that runs in the background.
vnwcd.sys is a driver for the program.
However if you put the .dmp's in BlueScreenView...they all say the faulting driver is:
ntoskrnl.exe
I read somewhere that sometimes a Blue Screen can be blamed on ntoskrnl.exe when it is actually a different driver. I am in kind of a standoff with people trying to find what to blame. Would anyone want to read the .dmp file below and maybe see what they can determine? Thanks!
____
.dmp file below
____
Microsoft (R) Windows Debugger Version 10.0.17763.132 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\schmikr1\Desktop\FTIR Crash Dumps 2019\021819-7472-01 - Copy.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24335.amd64fre.win7sp1_ldr_escrow.181228-0954
Machine Name:
Kernel base = 0xfffff800
02e5b000 PsLoadedModuleList = 0xfffff80003094c90Debug session time: Mon Feb 18 16:02:27.797 2019 (UTC - 6:00)
System Uptime: 0 days 0:38:23.624
Loading Kernel Symbols
...............................................................
................................................................
.......................................
Loading User Symbols
Loading unloaded module list
.....
***
- *
- Bugcheck Analysis *
- *
Use !analyze -v to get detailed debugging information.
BugCheck 50, {fffffef0fd000000, 0, fffff88000e6c926, 7}
*** WARNING: Unable to verify timestamp for vnwcd.sys
*** ERROR: Module load completed but symbols could not be loaded for vnwcd.sys
Could not read faulting driver name
Probably caused by : vnwcd.sys ( vnwcd+32bd )
Followup: MachineOwner
---------
5: kd> !analyze -v
***
- *
- Bugcheck Analysis *
- *
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fffffef0fd000000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff88000e6c926, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000007, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 400
BUILD_VERSION_STRING: 7601.24335.amd64fre.win7sp1_ldr_escrow.181228-0954
SYSTEM_MANUFACTURER: Dell Inc.
SYSTEM_PRODUCT_NAME: OptiPlex 990
SYSTEM_VERSION: 01
BIOS_VENDOR: Dell Inc.
BIOS_VERSION: A10
BIOS_DATE: 11/24/2011
BASEBOARD_MANUFACTURER: Dell Inc.
BASEBOARD_PRODUCT: 0VNP2H
BASEBOARD_VERSION: A00
DUMP_TYPE: 2
BUGCHECK_P1: fffffef0fd000000
BUGCHECK_P2: 0
BUGCHECK_P3: fffff88000e6c926
BUGCHECK_P4: 7
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800030f8100
Unable to get MmSystemRangeStart
GetUlongPtrFromAddress: unable to read from fffff800030f82f0
GetUlongPtrFromAddress: unable to read from fffff800030f84a8
GetPointerFromAddress: unable to read from fffff800030f80d8
fffffef0fd000000 Nonpaged pool
FAULTING_IP:
Wdf01000!imp_WdfSpinLockAcquire+6a
fffff880
00e6c926 66397b08 cmp word ptr [rbx+8],di
MM_INTERNAL_CODE: 7
CPU_COUNT: 8
CPU_MHZ: d40
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 2a
CPU_STEPPING: 7
CPU_MICROCODE: 6,2a,7,0 (F,M,S,R) SIG: 23'00000000 (cache) 23'00000000 (init)
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: edpa.exe
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: C001719273
ANALYSIS_SESSION_TIME: 02-18-2019 16:12:15.0699
ANALYSIS_VERSION: 10.0.17763.132 x86fre
TRAP_FRAME: fffff880069c21e0 -- (.trap 0xfffff880069c21e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000010f03000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88000e6c926 rsp=fffff880069c2370 rbp=0000000000000000
r8=000000000000cc00 r9=0000000000000000 r10=fffff80002e5b000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
Wdf01000!imp_WdfSpinLockAcquire+0x6a:
fffff88000e6c926 66397b08 cmp word ptr [rbx+8],di ds:0000000000000008=????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80002fc68f8 to fffff80002eeeba0
STACK_TEXT:
fffff880069c2088 fffff80002fc68f8 : 0000000000000050 fffffef0fd000000 0000000000000000 fffff880069c21e0 : nt!KeBugCheckEx
fffff880069c2090 fffff80002efac96 : 0000000000000000 fffffef0fd000000 0000000000000000 fffffef0fcfffff8 : nt!MmAccessFault+0x6b8
fffff880069c21e0 fffff88000e6c926 : 0000000000000000 0000000000000a87 0000000000000000 fffff88006f3c9de : nt!KiPageFault+0x356
fffff880069c2370 fffff88006f3d2bd : fffffa800967b630 fffffa800967b630 0000000000000000 0000000000000a87 : Wdf01000!imp_WdfSpinLockAcquire+0x6a
fffff880069c23c0 fffffa800967b630 : fffffa800967b630 0000000000000000 0000000000000a87 0000000000000000 : vnwcd+0x32bd
fffff880069c23c8 fffffa800967b630 : 0000000000000000 0000000000000a87 0000000000000000 fffffa8009b09020 : 0xfffffa800967b630fffff880
069c23d0 0000000000000000 : 0000000000000a87 0000000000000000 fffffa8009b09020 fffffa800ce8c020 : 0xfffffa800967b630
THREAD_SHA1_HASH_MOD_FUNC: ffaf26653a2c6a316b5bb0d9f365a8f5225d752a
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 55550a82e09d56810855c9bdfafc22c642115eb2
THREAD_SHA1_HASH_MOD: 314a4b292903940072e28acceeb2a5c296b53620
FOLLOWUP_IP:
vnwcd+32bd
fffff88006f3d2bd ?? ???SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: vnwcd+32bd
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: vnwcd
IMAGE_NAME: vnwcd.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 597b0106
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: X64_0x50_vnwcd+32bd
BUCKET_ID: X64_0x50_vnwcd+32bd
PRIMARY_PROBLEM_CLASS: X64_0x50_vnwcd+32bd
TARGET_TIME: 2019-02-18T22:02:27.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2018-12-28 13:28:56
BUILDDATESTAMP_STR: 181228-0954
BUILDLAB_STR: win7sp1_ldr_escrow
BUILDOSVER_STR: 6.1.7601.24335.amd64fre.win7sp1_ldr_escrow.181228-0954
ANALYSIS_SESSION_ELAPSED_TIME: 8c1
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x50_vnwcd+32bd
FAILURE_ID_HASH: {b57a787b-b292-0802-66a4-e7bdf347ae0c}
Followup: MachineOwner
---------
5: kd> .bugcheck
Bugcheck code 00000050
Arguments fffffef0
fd000000 0000000000000000 fffff88000e6c926 0000000000000007
Facebook
Twitter
Instagram