CPU/Mobo BSOD , Page fault in non-paged area .
- Thread starter fLUX
- Start date
you may boot into safe mode and see if crash occurs there as well. If yes than it could be related to a hardware. If not, than it should be a driver issue, open the dump file in windbg (google it), and see which module is it pointing to.
Spacescreamer
ex-Mod
Could be a bad motherboard as well. But if the replacement of the ram is working.. good enough.
If not, best would be to analyze the core dump.
If not, best would be to analyze the core dump.
asingh
Super Mod
Post the last 6-7 memory dumps at a location and give it here. Will analyze.
asingh
Super Mod
WinDebug utility.
http://www.techenclave.com/guides-tutorials/solving-mysteries-crashing-windows-53546/
wrote this long long ago... but still valid.
:death
SU can NEVER ever cause a bsod. its simply not capable of doing such things.
fLUX
Skilled
This is what whocrashed provided by Arjun has to say @booo , @asingh
Crash Dump Analysis
Crash dump directory: c:\dump
Crash dumps are enabled on your computer.
On Fri 1/11/2013 2:00:42 PM GMT your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: ntkrnlmp.exe (nt!KeBugCheckEx+0x0)
Bugcheck code: 0x50 (0xFFFFF8A00C963000, 0x0, 0xFFFFF80003744079, 0x0)
Error: PAGE_FAULT_IN_NONPAGED_AREA
Bug check description: This indicates that invalid system memory has been referenced.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
- - - Updated - - -
Also its not a ram issue afaik cause it gave me the same BSOD again when i plugged in a pen drive today evening.
Crash Dump Analysis
Crash dump directory: c:\dump
Crash dumps are enabled on your computer.
On Fri 1/11/2013 2:00:42 PM GMT your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: ntkrnlmp.exe (nt!KeBugCheckEx+0x0)
Bugcheck code: 0x50 (0xFFFFF8A00C963000, 0x0, 0xFFFFF80003744079, 0x0)
Error: PAGE_FAULT_IN_NONPAGED_AREA
Bug check description: This indicates that invalid system memory has been referenced.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
- - - Updated - - -
Also its not a ram issue afaik cause it gave me the same BSOD again when i plugged in a pen drive today evening.
Last edited by a moderator:
asingh
Super Mod
Here you go
Will see these tonight. Thanks.
I did a quick analysis on the dumps and...
This is definitely not faulty hardware. but means your dumps did not catch the curlprit.
Possible solutions in the order of their toughness:
1. A quick check on the internet told me that reinstalling the windows after formatting fixed the issue.
2. Sometimes some rootkits try so hard to hide themselves that when they crash the system you cant find much in dumps. you can download sysinternal's root kit analyzer to check if there are any. I am not 100% sure that these crashes are caused my rootkits.
3. you could try to investigate further and find the bastard driver. Usually minidumps dont capture the entire stack and in certain cases you will need more than minidumps to investigate the issue. to pinpoint the issue, do the following:
3.1 download debugging tools for windows, this will install the windbg and other debugging tools.
3.2 setup system dumps to capture full dump. usually this would be same size as that of your RAM.
3.3 open windbg -> file->Symbol File Path Ctrl+s-> type "srv*" and check "reload" and the press ok.
3.4 drag the dump file into the windbg window. and run "!analyze -v" in the command box.
3.5 even if this doesnt show the driver (after selecting the full dump), or doesnt help you; then you'll need some more serious stuff called the driver verifier.
3.6 fire up "gflags.exe" or click the "global flags" from the program files menu, go to the kernel flags tab-> enable anything that has "heap" in it and the press ok. this will basically crashes the system whenever a driver does invalid operation, slows down the system a bit. but when you get the dump, it has much more information.
4. now, if you find the curlprit driver, then you will have to uninstall it, and find a stable version.
5. if points 2, 3 and 4 look "too much" for you, then just follow point 1.
Code:
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. [COLOR=#ff0000][B]Typically the address is just plain bad or it
is pointing at freed memory.[/B][/COLOR]
Arguments:
Arg1: fffff8a00ed66000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8000378b079, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
------------------
[B][COLOR=#ff0000]Could not read faulting driver name[/COLOR][/B]
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800036fd0e0
GetUlongFromAddress: unable to read from fffff800036fd198
fffff8a00ed66000 Paged pool
FAULTING_IP:
nt!MiCompressRelocations+70
fffff800`0378b079 410fb701 movzx eax,word ptr [r9]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
[B][COLOR=#ff0000]DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT[/COLOR][/B]
BUGCHECK_STR: 0x50
[B][COLOR=#ff0000]PROCESS_NAME: svchost.exe[/COLOR][/B]
CURRENT_IRQL: 0
TRAP_FRAME: fffff8800b460040 -- (.trap 0xfffff8800b460040)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8000378b079 rsp=fffff8800b4601d0 rbp=000000000008fc28
r8=000000007ffff960 r9=fffff8a00ed66000 r10=000000000006ed2c
r11=0000000000000008 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
nt!MiCompressRelocations+0x70:
fffff800`0378b079 410fb701 movzx eax,word ptr [r9] ds:fffff8a0`0ed66000=????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800035461e4 to fffff800034c6f00
STACK_TEXT:
fffff880`0b45fed8 fffff800`035461e4 : 00000000`00000050 fffff8a0`0ed66000 00000000`00000000 fffff880`0b460040 : nt!KeBugCheckEx
fffff880`0b45fee0 fffff800`034c4fee : 00000000`00000000 00000000`00000003 00000000`000d5600 fffff8a0`0ed652c0 : nt! ?? ::FNODOBFM::`string'+0x42907
fffff880`0b460040 fffff800`0378b079 : 00000000`01000000 fffff800`0378b461 fffffa80`04cc64b0 fffff800`0378b5a4 : nt!KiPageFault+0x16e
fffff880`0b4601d0 fffff800`03789932 : 00000000`000d56a0 00000000`01000000 00000000`00000001 00000000`00000004 : nt!MiCompressRelocations+0x70
fffff880`0b460220 fffff800`037bf5d1 : fffff8a0`0bf5f000 fffff880`0b460430 00000000`00000095 00000000`00000000 : nt!MiRelocateImage+0x4a2
fffff880`0b460390 fffff800`037b4893 : fffff880`0b4605f0 00000000`00000000 fffff880`0b460698 00000000`00000001 : nt!MmCreateSection+0x825
fffff880`0b4605a0 fffff800`03923573 : 00000000`00000000 fffff8a0`0b997af8 00000000`00000000 00000000`00000001 : nt!NtCreateSection+0x162
fffff880`0b460620 fffff800`03923b01 : 00000000`00000000 fffff8a0`0b997af8 fffffa80`04d1a340 fffff880`00000060 : nt!PfpFileBuildReadSupport+0x163
fffff880`0b460710 fffff800`0392bc1e : fffff8a0`00000000 fffff8a0`00000001 fffff8a0`00000003 00000000`00000001 : nt!PfpPrefetchFilesTrickle+0x121
fffff880`0b460810 fffff800`0392c7b7 : 00000000`00000000 fffff880`0b460ca0 fffff880`0b460a08 fffff8a0`010f5060 : nt!PfpPrefetchRequestPerform+0x30e
fffff880`0b460960 fffff800`03938d8e : fffff880`0b460a08 fffff880`0b460a01 fffffa80`06fe71b0 00000000`00000000 : nt!PfpPrefetchRequest+0x176
fffff880`0b4609d0 fffff800`0393d4be : 00000000`00000000 00000000`00e1fbb0 00000000`0000004f 00000000`0911d001 : nt!PfSetSuperfetchInformation+0x1ad
fffff880`0b460ab0 fffff800`034c6153 : fffffa80`0728cb60 00000000`00000000 00000000`0911c640 00000000`091230a8 : nt!NtSetSystemInformation+0xb91
fffff880`0b460c20 00000000`774015aa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00e1fb88 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x774015aa
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MiCompressRelocations+70
fffff800`0378b079 410fb701 movzx eax,word ptr [r9]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!MiCompressRelocations+70
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc600
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: X64_0x50_nt!MiCompressRelocations+70
BUCKET_ID: X64_0x50_nt!MiCompressRelocations+70
Followup: MachineOwner
---------This is definitely not faulty hardware. but means your dumps did not catch the curlprit.
Possible solutions in the order of their toughness:
1. A quick check on the internet told me that reinstalling the windows after formatting fixed the issue.
2. Sometimes some rootkits try so hard to hide themselves that when they crash the system you cant find much in dumps. you can download sysinternal's root kit analyzer to check if there are any. I am not 100% sure that these crashes are caused my rootkits.
3. you could try to investigate further and find the bastard driver. Usually minidumps dont capture the entire stack and in certain cases you will need more than minidumps to investigate the issue. to pinpoint the issue, do the following:
3.1 download debugging tools for windows, this will install the windbg and other debugging tools.
3.2 setup system dumps to capture full dump. usually this would be same size as that of your RAM.
3.3 open windbg -> file->Symbol File Path Ctrl+s-> type "srv*" and check "reload" and the press ok.
3.4 drag the dump file into the windbg window. and run "!analyze -v" in the command box.
3.5 even if this doesnt show the driver (after selecting the full dump), or doesnt help you; then you'll need some more serious stuff called the driver verifier.
3.6 fire up "gflags.exe" or click the "global flags" from the program files menu, go to the kernel flags tab-> enable anything that has "heap" in it and the press ok. this will basically crashes the system whenever a driver does invalid operation, slows down the system a bit. but when you get the dump, it has much more information.
4. now, if you find the curlprit driver, then you will have to uninstall it, and find a stable version.
5. if points 2, 3 and 4 look "too much" for you, then just follow point 1.