[SOLVED] BSOD on startup by way of Drivers, how to identify which driver is the cause?

[Yeldur]

Hi all,

I've been getting BSOD's recently on entry, most recently (today) of which culminating in the rig hanging on the ROG splash screen which then forced me to do a dirty shutdown which isn't ideal, prompting an automatic repair to take place, this was after I opted to attempt Windows Updates last night to see if that may resolve any issues. (Windows was forced to revert these updates as a result)

From reviewing the Event Logs I can see one in there stating the following:

"The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly."
followed closely by:
"The driver \Driver\WudfRd failed to load for the device PCI\VEN_5853&DEV_1003\1&1a590e2c&0&03."

So far as far as causation goes, this is the only thing throwing flags, as I've successfully performed Windows Memory Diagnostics with no issues being found, system file checks with no corruption being found, and lastly checking in on the device manager and checking all tabs to ensure nothing in there is throwing errors. As far as I can tell, these issues began this week.

I know that this week I plugged in a new keyboard that is different to that of my old one, and in doing so I needed to download some more drivers for it, however I went from a Roccat Aimo 120 to a Roccat Aimo 100, to which the only real difference is the fact that the 100 doesn't have a hand wrest with the keyboard. Besides that, it doesn't appear any different specification wise, so I'm unclear on whether this is the cause. I also changed my power plan on the rig from Balanced to Performance, though I don't expect this to be the cause.

I suppose the most important question to ask is:

How do I go about identifying what this is: " \Driver\WudfRd" so that I can attempt resolution on these issues?

Any/all assistance is appreciated, thank you!


Note: This is only an issue on startup, during day to day operation once the computer is up and running, everything is running smoothly, there are no BSODs, no issues. The only time this is a problem is when I first power on the rig

Some computer info:
DxDiag Pastebin Link
PASSWORD: SGgcahkCAm

 

[Yeldur]

Spoiler: Eventlog SS

Figured I'd post an eventlog SS to get the full info from it for anyone interested. Let me know if you need anything else.

 

[Colif]

if its only at startup, does it happen after a restart?

You could turn this off and see if it still occurs - https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html

Driver\WudfRd = Windows Driver Foundation - User-mode Driver Framework Reflector

Have you updated windows?

if I search for VEN_5853&DEV_1003 I get results for Citrix Indirect display adapter driver, and one that shows Realtek Audio drivers. If you run a VM, try updating its software.

 

[Yeldur]

if its only at startup, does it happen after a restart?

You could turn this off and see if it still occurs - https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html

Driver\WudfRd = Windows Driver Foundation - User-mode Driver Framework Reflector

Have you updated windows?

if I search for VEN_5853&DEV_1003 I get results for Citrix Indirect display adapter driver, and one that shows Realtek Audio drivers. If you run a VM, try updating its software.

It does not, no. Restarts seem to act normally from what I can tell, it only happens upon a fresh boot.

Today it hit a proper snag and forced me to do a system rollback, breaking a number of applications on the computer. For the time being I think I'm going to stop shutting down my rig and just leave it in sleep mode, at least that way I'm more sure that my computer is going to work when I wake up

The last time I updated windows it forced me to rollback the updates due to it breaking something.

I don't have a VM, but I do use Citrix Workspace for my work, I don't know whether I use RealTek audio drivers at all because I have a soundcard installed and that's what my microphone and my headset run through. I checked the drivers for the realtek audio and no issues were detected.


I run an SFC scan every day so far since the issues began and nothing changes, no issues are found, so I can relatively safely say that it doesn't appear to be anything related to the OS being corrupted.

I ran a chkdsk today too and it found no integrity violations.

I've got some more event logs that I can go through and post, I figured it best to simply post them in order of startup, so here goes:

Spoiler: Event ID 6008

The previous system shutdown at 1:43:40 PM on ‎10/‎12/‎2021 was unexpected.

Spoiler: Event ID 219

The driver \Driver\WudfRd failed to load for the device PCI\VEN_5853&DEV_1003\1&1a590e2c&0&03.

Spoiler: Event ID 27

Intel(R) I211 Gigabit Network Connection
Network link is disconnected.

Spoiler: Event ID 1001

The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001a (0x0000000000041792, 0xffff83816716da08, 0x0000800000000000, 0x0000000000000000). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 15812135-3f48-42c4-b474-5b9fd5a5cf7e.

That's the logs up until the point of what I presume forced my computer into a system restore.

From some Google-Fu, I've found a tool that allows me to analyze the MiniDump files that get thrown out after a crash, after doing so it reports the following:

Spoiler: Bugcheck Analysis

12: kd> !analyze show
***

• *
• Bugcheck Analysis *
• *

***

MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000041792, A corrupt PTE has been detected. Parameter 2 contains the address of
the PTE. Parameters 3/4 contain the low/high parts of the PTE.
Arg2: ffff83816716da08
Arg3: 0000800000000000
Arg4: 0000000000000000

Debugging Details:
------------------


BUGCHECK_CODE: 1a

BUGCHECK_P1: 41792

BUGCHECK_P2: ffff83816716da08

BUGCHECK_P3: 800000000000

BUGCHECK_P4: 0

PROCESS_NAME: autochk.exe

MODULE_NAME: hardware

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BIT

FAILURE_ID_HASH: {e3faf315-c3d0-81db-819a-6c43d23c63a7}

Followup: MachineOwner
---------

I gathered the verbose version too in case that was relevant:

Spoiler: Bugcheck Analysis Verbose

12: kd> !analyze -v
***

• *
• Bugcheck Analysis *
• *

***

MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000041792, A corrupt PTE has been detected. Parameter 2 contains the address of
the PTE. Parameters 3/4 contain the low/high parts of the PTE.
Arg2: ffff83816716da08
Arg3: 0000800000000000
Arg4: 0000000000000000

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 3249

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 10478

Key : Analysis.Init.CPU.mSec
Value: 1249

Key : Analysis.Init.Elapsed.mSec
Value: 65592

Key : Analysis.Memory.CommitPeak.Mb
Value: 73

Key : MemoryManagement.PFN
Value: 800000000

Key : WER.OS.Branch
Value: vb_release

Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key : WER.OS.Version
Value: 10.0.19041.1


BUGCHECK_CODE: 1a

BUGCHECK_P1: 41792

BUGCHECK_P2: ffff83816716da08

BUGCHECK_P3: 800000000000

BUGCHECK_P4: 0

MEMORY_CORRUPTOR: ONE_BIT

BLACKBOXNTFS: 1 (!blackboxntfs)


CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: autochk.exe

STACK_TEXT:
ffff988d4679f388 fffff8054624423a : 000000000000001a 0000000000041792 ffff83816716da08 0000800000000000 : nt!KeBugCheckEx
ffff988d4679f390 fffff80546242a6f : ffff8688b7883700 0000000000000000 ffff868800000002 0000000000000000 : nt!MiDeleteVa+0x153a
ffff988d4679f490 fffff80546212c10 : 0000000000000001 ffff988d00000000 ffff8688b7883550 ffff8688b7910080 : nt!MiDeletePagablePteRange+0x48f
ffff988d4679f7a0 fffff80546252277 : 000000002ce2db4f 0000000000000000 ffff868800000000 fffff80500000000 : nt!MiDeleteVad+0x360
ffff988d4679f8b0 fffff805465f908c : ffff988d00000000 0000000000000000 ffff988d4679fa10 000002ce2db30000 : nt!MiFreeVadRange+0xa3
ffff988d4679f910 fffff805465f8b65 : 00007ff70784b980 000002ce44f49e50 ffff988d4679fad8 0000000000000000 : nt!MmFreeVirtualMemory+0x4ec
ffff988d4679fa60 fffff80546408bb8 : ffff8688b7910080 ffff868800000001 0000000000000000 ffff868800000000 : nt!NtFreeVirtualMemory+0x95
ffff988d4679fac0 00007ffa4676d134 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28
000000e2f757a4b8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffa`4676d134


MODULE_NAME: hardware

IMAGE_NAME: memory_corruption

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BIT

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {e3faf315-c3d0-81db-819a-6c43d23c63a7}

Followup: MachineOwner

 

[Yeldur]

I'm at a stage now where I feel like the issue may have been identified, but I'm not sure really how to read that Bugcheck, so need some help diagnosing what it's actually saying to me.

Is it trying to say that the process autochk.exe is corrupted?

It's definitely saying something about memory corruption, but when I ran memory diagnostics it didn't detect any issues, I'm wondering how that's possible if it's memory related...

I've also ran some of the old dumps from before today, just for comparison:

Spoiler: Bugcheck Analysis Verbose 12th Oct

7: kd> !analyze v
***

• *
• Bugcheck Analysis *
• *

***

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8015d29b260, Address of the instruction which caused the bugcheck
Arg3: ffffbb0a060b65e0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


BUGCHECK_CODE: 3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8015d29b260

BUGCHECK_P3: ffffbb0a060b65e0

BUGCHECK_P4: 0

PROCESS_NAME: AsusCertService.exe

SYMBOL_NAME: nt!PsQueryStatisticsProcess+f0

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

FAILURE_BUCKET_ID: 0x3B_c0000005_nt!PsQueryStatisticsProcess

FAILURE_ID_HASH: {b442a640-4ccd-b8f4-a97c-070d445273d8}

Followup: MachineOwner
---------

Spoiler: Bugcheck Analysis Verbose 11th Oct

10: kd> !analyze -v
***

• *
• Bugcheck Analysis *
• *

***

MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000041792, A corrupt PTE has been detected. Parameter 2 contains the address of
the PTE. Parameters 3/4 contain the low/high parts of the PTE.
Arg2: ffffe43ffadb1928
Arg3: 0000200000000000
Arg4: 0000000000000000

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 2265

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 2848

Key : Analysis.Init.CPU.mSec
Value: 3421

Key : Analysis.Init.Elapsed.mSec
Value: 35217

Key : Analysis.Memory.CommitPeak.Mb
Value: 73

Key : MemoryManagement.PFN
Value: 200000000

Key : WER.OS.Branch
Value: vb_release

Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key : WER.OS.Version
Value: 10.0.19041.1


BUGCHECK_CODE: 1a

BUGCHECK_P1: 41792

BUGCHECK_P2: ffffe43ffadb1928

BUGCHECK_P3: 200000000000

BUGCHECK_P4: 0

MEMORY_CORRUPTOR: ONE_BIT

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: NVDi

STACK_TEXT:
ffff8f83ecd700f8 fffff8067224423a : 000000000000001a 0000000000041792 ffffe43ffadb1928 0000200000000000 : nt!KeBugCheckEx
ffff8f83ecd70100 fffff8067229e586 : 0000000000000000 0000000000000000 00000000000008f6 ffffe43ffadb1928 : nt!MiDeleteVa+0x153a
ffff8f83ecd70200 fffff8067229e69b : ffffe47200000000 ffff9687654d6740 ffff8f8300000000 ffff8f83ecd70670 : nt!MiWalkPageTablesRecursively+0x776
ffff8f83ecd702a0 fffff8067229e69b : ffffe47200000000 ffff9687654d6740 ffff8f8300000001 ffff8f83ecd70680 : nt!MiWalkPageTablesRecursively+0x88b
ffff8f83ecd70340 fffff8067229e69b : ffffe47200000000 ffff9687654d6740 ffff8f8300000002 ffff8f83ecd70690 : nt!MiWalkPageTablesRecursively+0x88b
ffff8f83ecd703e0 fffff80672204f4b : 0000000000000000 ffff9687654d6740 0000000000000003 ffff8f83ecd706a0 : nt!MiWalkPageTablesRecursively+0x88b
ffff8f83ecd70480 fffff80672242ad1 : ffff8f83ecd70620 ffff968700000000 ffffe43e00000002 0000000000000000 : nt!MiWalkPageTables+0x36b
ffff8f83ecd70580 fffff80672212c10 : 0000000000000001 ffff8f8300000000 ffff9687654d6590 ffff968750865600 : nt!MiDeletePagablePteRange+0x4f1
ffff8f83ecd70890 fffff80672600b69 : ffff96875d002800 0000000000000000 ffff968700000000 ffff968700000000 : nt!MiDeleteVad+0x360
ffff8f83ecd709a0 fffff80672600200 : ffff96875d002800 ffff9687556a6d60 ffff968750865600 0000000000000000 : nt!MiUnmapVad+0x49
ffff8f83ecd709d0 fffff806725fe4cf : ffff96875d002da0 ffff96875d002da0 ffff96875d002800 ffff9687654d60c0 : nt!MiCleanVad+0x30
ffff8f83ecd70a00 fffff8067265bfd8 : ffffffff00000000 ffffffffffffffff 0000000000000001 ffff9687654d60c0 : nt!MmCleanProcessAddressSpace+0x137
ffff8f83ecd70a80 fffff806726b0476 : ffff9687654d60c0 ffffa7015e2e2a10 ffff8f83ecd70cd0 0000000000000000 : nt!PspRundownSingleProcess+0x20c
ffff8f83ecd70b10 fffff806726f4d88 : 0000000040010004 00007ffb4a2c3f01 0000000000000004 000000ea8d9a2000 : nt!PspExitThread+0x5f6
ffff8f83ecd70c10 fffff8067220f0d7 : ffff8f83ecd71000 ffff8f83ecd6a000 0000000000000000 0000000000000000 : nt!KiSchedulerApcTerminate+0x38
ffff8f83ecd70c50 fffff806723fb760 : 0000000000000000 ffff8f83ecd70d00 0000000000000000 0000000000000000 : nt!KiDeliverApc+0x487
ffff8f83ecd70d00 fffff80672408c5f : 0000000000000000 ffff8f83e5bb7b40 ffff8f83e5bb7b40 ffff8f83e5bb7b40 : nt!KiInitiateUserApc+0x70
ffff8f83ecd70e40 00007ffb70fb0b80 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceExit+0x9f
000000ea8f2ffa60 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffb`70fb0b80


MODULE_NAME: hardware

IMAGE_NAME: memory_corruption

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BIT

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {e3faf315-c3d0-81db-819a-6c43d23c63a7}

Followup: MachineOwner
---------

 

[Yeldur]

if its only at startup, does it happen after a restart?

You could turn this off and see if it still occurs - https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html

Driver\WudfRd = Windows Driver Foundation - User-mode Driver Framework Reflector

Have you updated windows?

if I search for VEN_5853&DEV_1003 I get results for Citrix Indirect display adapter driver, and one that shows Realtek Audio drivers. If you run a VM, try updating its software.

I should mention also, I have completely uninstalled Citrix Workspace from my machine in an effort to see if this might be one of the issues; so if it is this causing the issue, we'll find out soon enough.

 

[johnbl]

single bit corruption in a page file. you will want to delete the virtual memory file (pagefile.sys) and create another one. you will also want to make sure your memory is not overclocked and run a memory test program.