Question Intermittent BSOD - Bugcheck 0x0000003b

[Pareeeee]

Hi there,

Trying to figure out what's going on with my husband's computer. Received another BSOD today - here's what Event Viewer says:
The computer has rebooted from a bugcheck. The bugcheck was: 0x0000003b (0x00000000c0000005, 0xfffff8004e6c2977, 0xffffb606f9bbe670, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 1f2ec02a-332f-49cb-9354-53a55e3bbb22.

Here are the system specs:
http://speccy.piriform.com/results/qjghP42C5WEnZInRMJjmBT7

I have a dump file but not sure how to attach it, I don't see an attachment option. So here is the copy/paste from windbg:

Microsoft (R) Windows Debugger Version 10.0.25200.1003 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff800`4e400000 PsLoadedModuleList = 0xfffff800`4f02a210
Debug session time: Thu Mar  2 13:42:50.724 2023 (UTC - 5:00)
System Uptime: 0 days 4:37:40.367
Loading Kernel Symbols
...............................................................
................................................................
.........Page 4088c0 not present in the dump file. Type ".hh dbgerr004" for details
...................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`01040018).  Type ".hh dbgerr001" for details
Loading unloaded module list
.........................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff800`4e7fa090 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffffb606`f9bbdd70=000000000000003b
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the BugCheck
Arg2: fffff8004e6c2977, Address of the instruction which caused the BugCheck
Arg3: ffffb606f9bbe670, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 4452

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 4445

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 2280

    Key  : Analysis.Init.Elapsed.mSec
    Value: 5619

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 93

    Key  : Bugcheck.Code.DumpHeader
    Value: 0x3b

    Key  : Bugcheck.Code.KiBugCheckData
    Value: 0x3b

    Key  : Bugcheck.Code.Register
    Value: 0x3b

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


FILE_IN_CAB:  MEMORY.DMP

BUGCHECK_CODE:  3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8004e6c2977

BUGCHECK_P3: ffffb606f9bbe670

BUGCHECK_P4: 0

CONTEXT:  ffffb606f9bbe670 -- (.cxr 0xffffb606f9bbe670)
rax=3fffffffffff0000 rbx=0000000000000000 rcx=0000000436780000
rdx=0000000000000000 rsi=ffffd28fbc4c3c00 rdi=fffff45241f4a400
rip=fffff8004e6c2977 rsp=ffffb606f9bbf070 rbp=fffff45241f4a600
r8=fffff40000000001  r9=afff918a7e44e460 r10=ffff918a7cc5a500
r11=ffffb606f9bbf040 r12=ffff918a7d966630 r13=fffff8004f050ac0
r14=ffffd28fbc510000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050246
nt!MmMapViewInSystemCache+0x1f7:
fffff800`4e6c2977 49836110fc      and     qword ptr [r9+10h],0FFFFFFFFFFFFFFFCh ds:002b:afff918a`7e44e470=????????????????
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  explorer.exe

STACK_TEXT:
ffffb606`f9bbf070 fffff800`4e6c3d0e     : 00000004`36780000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MmMapViewInSystemCache+0x1f7
ffffb606`f9bbf1f0 fffff800`4e70686a     : 00000004`36780000 ffff918a`00000000 ffff918a`00000000 fffff800`00000000 : nt!CcGetVacbMiss+0xce
ffffb606`f9bbf280 fffff800`4eaf6b60     : 00000004`00000000 00000000`00000000 ffffb606`f9bbf3c0 ffffb606`f9bbf3d0 : nt!CcGetVirtualAddress+0x33a
ffffb606`f9bbf320 fffff800`4e705e79     : 00000000`00000000 00000004`36780000 00000000`00000000 ffff918a`7bbc1001 : nt!CcMapAndCopyFromCache+0x80
ffffb606`f9bbf3c0 fffff800`52c10eb1     : ffffd28f`ab243208 fffff800`00000001 ffff918a`00100000 00000000`00000000 : nt!CcCopyReadEx+0x139
ffffb606`f9bbf470 fffff800`52c089e7     : 00000008`5fe633df ffffb606`f9bbf720 00000000`00000001 ffffd28f`ab2431b0 : Ntfs!NtfsCachedRead+0x17d
ffffb606`f9bbf4e0 fffff800`52c0926c     : ffff918a`7129e9a8 ffff918a`768c42b0 00000008`5fe633df 00000000`00000000 : Ntfs!NtfsCommonRead+0x1fc7
ffffb606`f9bbf6f0 fffff800`4e6954d5     : ffff918a`7e302a60 ffff918a`768c42b0 ffff918a`768c42b0 ffff918a`7e628710 : Ntfs!NtfsFsdRead+0x1fc
ffffb606`f9bbf7c0 fffff800`4ca070cf     : ffff918a`6eb30007 00000000`00000000 ffff918a`7d5a8b60 ffff918a`7fb48c10 : nt!IofCallDriver+0x55
ffffb606`f9bbf800 fffff800`4ca04a03     : ffffb606`f9bbf890 00000000`00000000 00000000`00000001 00000000`20707249 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x28f
ffffb606`f9bbf870 fffff800`4e6954d5     : ffff918a`768c42b0 ffffb606`f9bbfa38 ffffb606`00000000 ffff918a`7fb48c10 : FLTMGR!FltpDispatch+0xa3
ffffb606`f9bbf8d0 fffff800`4eaa6048     : 00000000`00000000 ffff918a`7fb48c10 00000000`00000001 fffff800`4ca39601 : nt!IofCallDriver+0x55
ffffb606`f9bbf910 fffff800`4ea7e459     : ffff918a`00000000 ffffb606`f9bbfb80 ffff918a`7f0250e0 ffffb606`f9bbfb80 : nt!IopSynchronousServiceTail+0x1a8
ffffb606`f9bbf9b0 fffff800`4e80d8f8     : 00000000`00000000 00000000`00005174 00000000`00000000 00000000`2e67b530 : nt!NtReadFile+0x599
ffffb606`f9bbfa90 00007fff`974ad184     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x28
00000000`315bc968 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`974ad184


SYMBOL_NAME:  nt!MmMapViewInSystemCache+1f7

MODULE_NAME: nt

STACK_COMMAND:  .cxr 0xffffb606f9bbe670 ; kb

IMAGE_NAME:  ntkrnlmp.exe

BUCKET_ID_FUNC_OFFSET:  1f7

FAILURE_BUCKET_ID:  AV_nt!MmMapViewInSystemCache

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {92492aee-241b-c907-9bfa-63e97856482e}

Followup:     MachineOwner
---------

Appreciate any help with this!! Thanks!

 

[johnbl]

since the exception code was
00000000c0000005
it just means one of the addresses used was invalid for some reason.
when you look at the address it looks like a valid kernel mode address but you can not tell if one of the bits is incorrect.

(it is actually much easier to diagnose if the address is totally invalid)

in this case, you would run memtest86 to test that the memory timings are correct.
if you have a debugger you would also check for modified windows core files.
debugger command:
!for_each_module !chkimg @#ModuleName
and I look for overclocking drivers
I list the drivers out in alphabetical order in the debugger with this command:
lmiftsm

note:
0x00007fff`974ad184 example of user mode address
fffff8004e6c2977 example of kernel mode address

note: in this case it is particularly hard to pinpoint the cause since the final error came out of some cache manager routines. IE you do not know if the error is in ram inside the CPU including the various levels of the cache RAM inside the cpu. Meaning it could be a over heated cpu, power problem to the cpu, incorrect bios settings. old chipset drieres, bad overclock drivers.
just to hard to tell.

for this problem you could copy the memory.dmp file to a server, share the file for public access and post a link. Most likely it will take several iterations to figure out the problem. IE several bugchecks.
note: seeing a lot of strange looking bugchecks on AMD Cpu that look to too low power being applied to the CPU after new low power settings were put into effect. You might consider running in windows high power mode to see if it has and effect.

 

[Pareeeee]

Ok so I found out my BIOS was outdated - just updated it.
I ran memtest and it came back after 4 passes as "PASSED"

Unfortunately I'm very much a beginner with Windbg - I just know how to use the analyze feature on the dmp file and copy/pasted the info. Not sure what I'm looking for in the list your code gave me - it's a mile long :/

Here's the minidump file from the bugcheck:
https://drive.google.com/file/d/1nXE_-kISkTurHMPMmt8LThT40PsJNJyp/view?usp=sharing

The Windows power plan is "AMD Ryzen Balanced" I'll change it over to high performance if the updated BIOS ends up not helping.

 

[johnbl]

Ok so I found out my BIOS was outdated - just updated it.
I ran memtest and it came back after 4 passes as "PASSED"

Unfortunately I'm very much a beginner with Windbg - I just know how to use the analyze feature on the dmp file and copy/pasted the info. Not sure what I'm looking for in the list your code gave me - it's a mile long :/

Here's the minidump file from the bugcheck:
https://drive.google.com/file/d/1nXE_-kISkTurHMPMmt8LThT40PsJNJyp/view?usp=sharing

The Windows power plan is "AMD Ryzen Balanced" I'll change it over to high performance if the updated BIOS ends up not helping.

big red flag: two overclock drivers with the same name being loaded from different directories.
C:\Program Files (x86)\MSI\MSI Center\Lib\SYS\NTIOLib_X64.sys Wed Apr 27 00:47:43 2022

C:\Program Files (x86)\MSI\MSI Center\Lib\NTIOLib_X64.sys Sun Jul 9 18:54:30 2017 (**this copy of the driver is problematic *)

the windows memory manager detects the driver collision and loads one with a offset and it appears in the debugger like this:

NTIOLib_X64_fffff800b9a40000

you want to download microsoft autoruns from here:
Autoruns for Windows - Sysinternals | Microsoft Learn
find both copies of ntiolib_x64 and remove the driver entries.

msi setup program does not remove the old driver, they just tell you to remove it before installing a new one in the docs somewhere. Normally, it would not be a problem but they have moved the default install directory several times over the years.

having two copies running means the first copy will add offsets to voltages and frequencies, then the second copy also does the same.

note:
also have
C:\Program Files\AMD\RyzenMaster\bin\AMDRyzenMasterDriver.sys Thu May 12 23:01:00 2022
running.

2 modified windows files also:
win32k.sys unavailable (00000000)
and
win32kfull.sys unavailable (00000000)

(this file was not modified)
\SystemRoot\System32\win32kbase.sys 2689368B

the first two files are commonly hacked, the build number/timestamp has been removed to prevent the debugger from displaying the code changes.

to fix you have to
run cmd.exe as an admin then run
dism.exe /online /cleanup-image /restorehealth

then turn off the system virtual memory to delete the pagefile.sys then reboot and turn it back on.

with windows 7 it was ok to modify the files but it is not allowed now but some programs still do but the make the change in copy in virtual memory. now, if the files are changed you end up assuming it is malware that makes the changes. (but could be a legit program)

machine info:
Manufacturer Gigabyte Technology Co., Ltd.
Product Name B450M DS3H V2
BIOS Version F61c
BIOS Starting Address Segment f000
BIOS Release Date 05/10/2021
Processor Version AMD Ryzen 3 3200G with Radeon Vega Graphics
Processor Voltage 8eh - 1.4V
External Clock 100MHz
Max Speed 4000MHz
Current Speed 3600MHz

 

[johnbl]

you have a bad version of the realtek motherboard audio driver installed.
RTKVHD64.sys Tue May 14 04:25:05 2019

get the 2022/07/25 from here:
B450M DS3H V2 (rev. 1.x) Support | Motherboard - GIGABYTE Global

gdrv3.sys Tue Aug 23 20:08:05 2022
i think this is a gigabyte overclocking driver.
I would remove until you figure out the bugcheck problem.

I am still thinking on what could have caused your bugcheck. basically,
explorer.exe was running, attempt to read a file, a file filter was called, then an attempt to read from the file system, then an attempt to read from virtual memory,
then an attempt to read from the file system cache,
then a bugcheck due to a access violation.

at this point I would be looking at the storage driver or firmware of the drive as a failure point.

All I can say would be to fix the problems that we found and wait for the next bugcheck.

the old version of the realtek sound driver tends to corrupt the sound driver for GPU cards by corrupting the GPU drivers data buffer and causing a stack over flow. I do not see how it could cause this bugcheck.

maybe run crystaldiskinfo.exe and read the firmware version of the drive then check for firmware updates.

I think you already installed the updated chipset drivers and I assume you are not running a raid driver.

 

[Pareeeee]

Thank you for your in-depth responses.

I've deleted both instances of NTIOLib_X64 - what is the correct driver to reinstall in its place?

I ran DISM - completed successfully. Also for good measure ran sfc scannow and it found corrupted files and fixed them.

I already have the latest firmware for the SSD.

What would you like me to do with win32k.sys and win32kfull.sys ?

 

[johnbl]

Thank you for your in-depth responses.

I've deleted both instances of NTIOLib_X64 - what is the correct driver to reinstall in its place?

I ran DISM - completed successfully. Also for good measure ran sfc scannow and it found corrupted files and fixed them.

I already have the latest firmware for the SSD.

What would you like me to do with win32k.sys and win32kfull.sys ?

running the dism commands should fix the files on disk. turn off virtual memory to delete the pagefile.sys reboot and turn it back on to create a new one. that should fix the modified copy in virtual memory.

you should not need to replace the ntiolib_x64.dll it is most likely just a external GPU overclock driver for a MSI add in gpu.

 

[Pareeeee]

Thank you for all the help. After doing everything you suggested there have been no more problems with the PC. Not sure which one in particular fixed the problem, but thank you!