Question ntoskrnl.exe bsod

[Sir Friksy]

Hey Guys I have recently reinstalled windows and I am getting a lot of BSODs since then.
My config is:
rtx 3060 12gb
ryzen 5 3600
16 gb ram
b450m motherboard


On Sat 7/23/2022 12:06:56 PM your computer crashed or a problem was reported
crash dump file: C:\WINDOWS\Minidump\072322-10250-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x3F8590)
Bugcheck code: 0x139 (0x3, 0xFFFF9C8FFF2F9750, 0xFFFF9C8FFF2F96A8, 0x0)
Error: KERNEL_SECURITY_CHECK_FAILURE
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: The kernel has detected the corruption of a critical data structure.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.



On Sat 7/23/2022 12:06:56 PM your computer crashed or a problem was reported
crash dump file: C:\WINDOWS\MEMORY.DMP
This was probably caused by the following module: bam.sys (bam+0x8EB3)
Bugcheck code: 0x139 (0x3, 0xFFFF9C8FFF2F9750, 0xFFFF9C8FFF2F96A8, 0x0)
Error: KERNEL_SECURITY_CHECK_FAILURE
file path: C:\WINDOWS\system32\drivers\bam.sys
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: BAM Kernel Driver
Bug check description: The kernel has detected the corruption of a critical data structure.
The crash took place in a Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time.



On Sat 7/23/2022 11:01:49 AM your computer crashed or a problem was reported
crash dump file: C:\WINDOWS\Minidump\072322-9484-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x3F8590)
Bugcheck code: 0xF7 (0xFFFFB20BB70DD438, 0xC5A3A409436F, 0xFFFF3A5C5BF6BC90, 0x0)
Error: DRIVER_OVERRAN_STACK_BUFFER
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that a driver has overrun a stack-based buffer.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.



On Sat 7/23/2022 10:01:41 AM your computer crashed or a problem was reported
crash dump file: C:\WINDOWS\Minidump\072322-9671-01.dmp
This was probably caused by the following module: hardware.sys (hardware)
Bugcheck code: 0x3B (0xC000001D, 0xFFFFF80420A09BC1, 0xFFFFC7015050F920, 0x0)
Error: SYSTEM_SERVICE_EXCEPTION
Bug check description: This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hardware.sys .
Google query: hardware.sys SYSTEM_SERVICE_EXCEPTION

 

[Ralston18]

What was the original reason for reinstalling Windows?

PSU: make, model, wattage, age, condition (original to build, new, refurbished, used)?

Look in Reliability History and Event Viewer. Either one or both may be capturing some related error codes, warnings, or informational events.

Check Update History for any failed or problem updates.

Run the built-in Windows Troubleshooters. The troubleshooters may find and fix something.

Try "sfc /scannow" and "dism"

https://www.lifewire.com/how-to-use-sfc-scannow-to-repair-windows-system-files-2626161

https://www.windowscentral.com/how-use-dism-command-line-utility-repair-windows-10-image

 

[Colif]

1. Open Windows File Explore
   
2. Navigate to C:\Windows\Minidump
   
3. Copy the mini-dump files out onto your Desktop
   
4. Do not use Winzip, use the built in facility in Windows
   
5. Select those files on your Desktop, right click them and choose 'Send to' - Compressed (zipped) folder
   
6. Upload the zip file to the Cloud (OneDrive, DropBox . . . etc.)
   
7. Then post a link here to the zip file, so we can take a look for you . . .
   

 

[Sir Friksy]

What was the original reason for reinstalling Windows?

PSU: make, model, wattage, age, condition (original to build, new, refurbished, used)?

Look in Reliability History and Event Viewer. Either one or both may be capturing some related error codes, warnings, or informational events.

Check Update History for any failed or problem updates.

Run the built-in Windows Troubleshooters. The troubleshooters may find and fix something.

Try "sfc /scannow" and "dism"

https://www.lifewire.com/how-to-use-sfc-scannow-to-repair-windows-system-files-2626161

https://www.windowscentral.com/how-use-dism-command-line-utility-repair-windows-10-image

I reinstalled windows because I recently upgraded to a 3060, I had a rx 580 and I had these same problems before, but somehow I could get it fixed, until I reinstalled windows.

I opened both and as far I can see Kernel is the main critical error:
Error setting traits on Provider {8444a4fb-d8d3-4f38-84f8-89960a1ef12f}. Error: 0xC0000001

Problem Event Name: LiveKernelEvent
Code: 124
Parameter 1: 0
Parameter 2: ffffd889ce64fc10
Parameter 3: bea00000
Parameter 4: 108
OS version: 10_0_19043
Service Pack: 0_0
Product: 256_1
OS Version: 10.0.19043.2.0.0.256.48
Locale ID: 1033





Also I ran both of the commands, 0 faults.

 

[Sir Friksy]

1. Open Windows File Explore
2. Navigate to C:\Windows\Minidump
3. Copy the mini-dump files out onto your Desktop
4. Do not use Winzip, use the built in facility in Windows
5. Select those files on your Desktop, right click them and choose 'Send to' - Compressed (zipped) folder
6. Upload the zip file to the Cloud (OneDrive, DropBox . . . etc.)
7. Then post a link here to the zip file, so we can take a look for you . . .

Thank you so much for your help, here it is:
https://www.dropbox.com/sh/rx1kmiqlb130cyg/AAA3XHA7gH56F5WSkf4vS-PJa?dl=0

 

[Sir Friksy]

I've noticed that these bsods only occurs when my pc is idle or when im not playing games

 

[johnbl]

I would do the following:
download microsoft autoruns64
disable the amdryzendriver.sys (bad to debug while overclocking)
disable the two krisp audo drivers

start cmd.exe as an admin then run
dism.exe /online /cleanup-image /restorehealth
(to repair windows core files, most likely will not find anything since programs now change the image in memory and stored in the pagefile.sys rather than the .sys file on disk)
then you should download microsoft rammap64.exe
find the menu items on the empty menu and click each one. (this is to remove some hiding places for malware)

then turn off the systems virtual memory reboot and turn it back on. this is to delete the pagefile.sys and dump all of the modified windows core files and force the system to reload the files from the good copy on disk.
reboot and retest to see if you get a bugcheck.
if you do, you will need to change the memory dump type to kernel and provide the kernel dump as it will have much more debug info and internal logs.

------------
if you really need the krisp audio then you might consider disabling all not used sound devices (including no use microphone inputs) there are sound devices that have no speakers attached that still respond to other sound devices requests and cause the second device to have a buffer overflow. I did not see the telltell driver being loaded but I thought I would mention it.


--------

I would be looking for a opera.exe extension that is doing bad things. Maybe some communication software since a tcp datagram was being used.

krispaudio.sys
and krispvsb.sys
and what ever user interface program would also be suspect file dates april 22 2022
---------------------
looking at first bugcheck;
bam.sys looks like it canceled a timer that lead to the bugcheck.
(looks like a bug. double remove)

bam.sys looks like a microsoft file:
Background Activity Moderator Driver

problem is you have several modified microsoft core files running:
kernel, win32k, win32kfull, win32base have had their checksums removed.
----------------------


also running overclock driver amdryzenmasterdriver.sys

will take a quick look at the other bugchecks

------------
second bugcheck opera.exe running
something inserted into a queue then a bugcheck called since a guard data structure was corrupted.
windows places these to detect buffer overflows from malware attacks and if it sees one being corrupted it calls a bugcheck.

--------------
third bugcheck was like the first one but was done on a system process not bam.sys.
looks like malware or a stupid driver.

-------------
4th bugcheck was opera.exe running
then the network transport stack overflowed
while sending datagrams (basically sending messages to a windows socket connection that is not guaranteed to be received)

I would look at opera.exe and see if you have some communications app running
anyway, stack overflowed and hit a guard structure so a bugcheck was called.

-----------
last bugcheck (oldest) opera.exe running calling some system service to exit. does not make sense why it would call it. anyway, in this dump the nt kernel has not been modified. but the other 2 files are changed.
win32kbase is not modified in this dump.

in this version you had two copies of amdryzenmasterdriver running (bad)
(one from asrock the other from amd)

 

[Sir Friksy]

I would do the following:
download microsoft autoruns64
disable the amdryzendriver.sys (bad to debug while overclocking)
disable the two krisp audo drivers

start cmd.exe as an admin then run
dism.exe /online /cleanup-image /restorehealth
(to repair windows core files, most likely will not find anything since programs now change the image in memory and stored in the pagefile.sys rather than the .sys file on disk)
then you should download microsoft rammap64.exe
find the menu items on the empty menu and click each one. (this is to remove some hiding places for malware)

then turn off the systems virtual memory reboot and turn it back on. this is to delete the pagefile.sys and dump all of the modified windows core files and force the system to reload the files from the good copy on disk.
reboot and retest to see if you get a bugcheck.
if you do, you will need to change the memory dump type to kernel and provide the kernel dump as it will have much more debug info and internal logs.

------------
if you really need the krisp audio then you might consider disabling all not used sound devices (including no use microphone inputs) there are sound devices that have no speakers attached that still respond to other sound devices requests and cause the second device to have a buffer overflow. I did not see the telltell driver being loaded but I thought I would mention it.


--------

I would be looking for a opera.exe extension that is doing bad things. Maybe some communication software since a tcp datagram was being used.

krispaudio.sys
and krispvsb.sys
and what ever user interface program would also be suspect file dates april 22 2022
---------------------
looking at first bugcheck;
bam.sys looks like it canceled a timer that lead to the bugcheck.
(looks like a bug. double remove)

bam.sys looks like a microsoft file:
Background Activity Moderator Driver

problem is you have several modified microsoft core files running:
kernel, win32k, win32kfull, win32base have had their checksums removed.
----------------------


also running overclock driver amdryzenmasterdriver.sys

will take a quick look at the other bugchecks

------------
second bugcheck opera.exe running
something inserted into a queue then a bugcheck called since a guard data structure was corrupted.
windows places these to detect buffer overflows from malware attacks and if it sees one being corrupted it calls a bugcheck.

--------------
third bugcheck was like the first one but was done on a system process not bam.sys.
looks like malware or a stupid driver.

-------------
4th bugcheck was opera.exe running
then the network transport stack overflowed
while sending datagrams (basically sending messages to a windows socket connection that is not guaranteed to be received)

I would look at opera.exe and see if you have some communications app running
anyway, stack overflowed and hit a guard structure so a bugcheck was called.

-----------
last bugcheck (oldest) opera.exe running calling some system service to exit. does not make sense why it would call it. anyway, in this dump the nt kernel has not been modified. but the other 2 files are changed.
win32kbase is not modified in this dump.

in this version you had two copies of amdryzenmasterdriver running (bad)
(one from asrock the other from amd)

Hello, thank you so much for helping me out.
So I did the first two steps: ran the command in cmd, installed those two applications and disabled virtual memory and the drivers.

And since then I haven't had a BSOD yet.
It's been almost one hour that my pc is running and nothing different happened!

 

[johnbl]

Hello, thank you so much for helping me out.
So I did the first two steps: ran the command in cmd, installed those two applications and disabled virtual memory and the drivers.

And since then I haven't had a BSOD yet.
It's been almost one hour that my pc is running and nothing different happened!

for cases like this you will not know that it is fixed for a few weeks.

 

[Sir Friksy]

for cases like this you will not know that it is fixed for a few weeks.

Yes, so I left my pc idle for some hours and I got one bsod:

On Tue 7/26/2022 3:02:16 PM your computer crashed or a problem was reported
crash dump file: C:\WINDOWS\Minidump\072622-7984-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x3F8590)
Bugcheck code: 0x139 (0x3, 0xFFFFF10E878995E0, 0xFFFFF10E87899538, 0x0)
Error: KERNEL_SECURITY_CHECK_FAILURE
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: The kernel has detected the corruption of a critical data structure.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.

Here is the dump file:
https://www.dropbox.com/s/8xmj6m22qfy8wco/dump.zip?dl=0

Also, is there any reason that this only happens when I'm not gaming?

 

[johnbl]

Yes, so I left my pc idle for some hours and I got one bsod:

On Tue 7/26/2022 3:02:16 PM your computer crashed or a problem was reported
crash dump file: C:\WINDOWS\Minidump\072622-7984-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x3F8590)
Bugcheck code: 0x139 (0x3, 0xFFFFF10E878995E0, 0xFFFFF10E87899538, 0x0)
Error: KERNEL_SECURITY_CHECK_FAILURE
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: The kernel has detected the corruption of a critical data structure.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.

Here is the dump file:
https://www.dropbox.com/s/8xmj6m22qfy8wco/dump.zip?dl=0

Also, is there any reason that this only happens when I'm not gaming?

discord.exe was running, a timer was being cleaned up by the system, while the system was idle but the system found the timer was already deleted so it called a bugcheck. could be a discord bug.

maybe you can change the memory dump type to kernel and provide the kernel dump which will show the timers. (might be a problem since the timer was already deleted at the time of the bugcheck)

also check for updates to discord maybe. could just be a bug

note: you might want to check this driver:
vmulti.sys dated nov 2 2018

reports that it does not pass verifier testing.

 

[Sir Friksy]

discord.exe was running, a timer was being cleaned up by the system, while the system was idle but the system found the timer was already deleted so it called a bugcheck. could be a discord bug.

maybe you can change the memory dump type to kernel and provide the kernel dump which will show the timers. (might be a problem since the timer was already deleted at the time of the bugcheck)

also check for updates to discord maybe. could just be a bug

note: you might want to check this driver:
vmulti.sys dated nov 2 2018

reports that it does not pass verifier testing.

I changed the dump type to kernel already, isnt it located in the minidump folder?