Advanced troubleshooting for Stop error or blue screen mistake issue

  • Article
  • 20 minutes to read

Note

If you're not a back up amanuensis or Information technology professional person, you'll find more helpful information about Stop error ("blue screen") messages in Troubleshoot blue screen errors.

What causes Stop errors?

A Stop fault is displayed as a blueish screen that contains the name of the faulty driver, such as whatever of the following instance drivers:

  • atikmpag.sys
  • igdkmd64.sys
  • nvlddmkm.sys

At that place is no simple explanation for the cause of Stop errors (too known as blueish screen errors or bug check errors). Many different factors can be involved. However, various studies point that Stop errors usually are not caused by Microsoft Windows components. Instead, these errors are generally related to malfunctioning hardware drivers or drivers that are installed past tertiary-party software. This includes video cards, wireless network cards, security programs, and so on.

Our assay of the root causes of crashes indicates the following:

  • 70 per centum are caused by third-party commuter lawmaking
  • 10 percent are acquired past hardware bug
  • 5 percent are caused by Microsoft lawmaking
  • 15 percent have unknown causes (because the retentivity is too corrupted to analyze)

Note

The root cause of Stop errors is never a user-mode process. While a user-way process (such as Notepad or Slack) may trigger a Stop fault, it is merely exposing the underlying bug which is always in a driver, hardware, or the Os.

General troubleshooting steps

To troubleshoot End error messages, follow these general steps:

  1. Review the Stop error code that you lot find in the event logs. Search online for the specific End error codes to see whether in that location are any known issues, resolutions, or workarounds for the trouble.

  2. Every bit a best practice, we recommend that you exercise the following:

    1. Make sure that yous install the latest Windows updates, cumulative updates, and rollup updates. To verify the update condition, refer to the appropriate update history for your organisation:

      • Windows x, version 21H2
      • Windows ten, version 21H1
      • Windows ten, version 20H2
      • Windows 10, version 2004
      • Windows ten, version 1909
      • Windows ten, version 1903
      • Windows 10, version 1809
      • Windows x, version 1803
      • Windows ten, version 1709
      • Windows 10, version 1703
      • Windows Server 2016 and Windows x, version 1607
      • Windows 10, version 1511
      • Windows Server 2012 R2 and Windows viii.one
      • Windows Server 2008 R2 and Windows seven SP1

    2. Make sure that the BIOS and firmware are up-to-date.

    3. Run any relevant hardware and memory tests.

  3. Run the Machine Memory Dump Collector Windows diagnostic parcel. This diagnostic tool is used to collect machine retention dump files and check for known solutions.

  4. Run Microsoft Prophylactic Scanner or whatever other virus detection program that includes checks of the Master Boot Tape for infections.

  5. Brand sure that in that location is sufficient free space on the hd. The exact requirement varies, but nosotros recommend 10–15 per centum free disk space.

  6. Contact the corresponding hardware or software vendor to update the drivers and applications in the post-obit scenarios:

    • The error message indicates that a specific commuter is causing the problem.

    • You are seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, decide whether the service beliefs is consistent across all instances of the crash.

    • You have made any software or hardware changes.

Memory dump collection

To configure the system for retentivity dump files, follow these steps:

  1. Download DumpConfigurator tool.

  2. Extract the .zip file and navigate to Source Code folder.

  3. Run the tool DumpConfigurator.hta, so select Drag this HTA.

  4. Select Car Config Kernel.

  5. Restart the figurer for the setting to take effect.

  6. Stop and disable Automatic System Restart Services (ASR) to prevent dump files from being written.

  7. If the server is virtualized, disable car reboot after the retention dump file is created. This lets yous take a snapshot of the server in-state and also if the problem recurs.

The retention dump file is saved at the following locations:

Dump file type Location
(none) %SystemRoot%\MEMORY.DMP (inactive, or grayed out)
Small-scale memory dump file (256 kb) %SystemRoot%\Minidump
Kernel retentivity dump file %SystemRoot%\MEMORY.DMP
Complete retentiveness dump file %SystemRoot%\MEMORY.DMP
Automated retentivity dump file %SystemRoot%\MEMORY.DMP
Agile memory dump file %SystemRoot%\Retentivity.DMP
Yous tin can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are non corrupted or invalid. For more than information, see the following video:

More data on how to use Dumpchk.exe to check your dump files:

  • Using DumpChk
  • Download DumpCheck

Pagefile Settings

  • Introduction of folio file in Long-Term Servicing Channel and Full general Availability Channel of Windows
  • How to make up one's mind the appropriate page file size for 64-scrap versions of Windows
  • How to generate a kernel or a consummate memory dump file in Windows Server 2008 and Windows Server 2008 R2

Memory dump analysis

Finding the root cause of the crash may non be like shooting fish in a barrel. Hardware problems are especially difficult to diagnose because they may cause erratic and unpredictable beliefs that can manifest itself in various symptoms.

When a Stop error occurs, you should commencement isolate the problematic components, and then attempt to cause them to trigger the Stop error again. If yous can replicate the problem, you tin usually determine the cause.

Yous tin can use the tools such as Windows Software Development KIT (SDK) and Symbols to diagnose dump logs. The next section discusses how to use this tool.

Avant-garde troubleshooting steps

Note

Advanced troubleshooting of crash dumps tin be very challenging if you are not experienced with programming and internal Windows mechanisms. We take attempted to provide a brief insight hither into some of the techniques used, including some examples. Nevertheless, to really exist effective at troubleshooting a crash dump, you should spend time becoming familiar with advanced debugging techniques. For a video overview, meet Advanced Windows Debugging and Debugging Kernel Mode Crashes and Hangs. Also encounter the avant-garde references listed below.

Advanced debugging references

  • Advanced Windows Debugging
  • Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)

Debugging steps

  1. Verify that the computer is gear up to generate a complete retention dump file when a crash occurs. See the steps here for more than information.

  2. Locate the memory.dmp file in your Windows directory on the computer that is crashing, and copy that file to another reckoner.

  3. On the other computer, download the Windows x SDK.

  4. Start the install and choose Debugging Tools for Windows. This installs the WinDbg tool.

  5. Open the WinDbg tool and set the symbol path by clicking File and then clicking Symbol File Path.

    1. If the estimator is connected to the Internet, enter the Microsoft public symbol server (https://msdl.microsoft.com/download/symbols) and click OK. This is the recommended method.

    2. If the estimator is not connected to the Internet, you must specify a local symbol path.

  6. Click on Open Crash Dump, and then open the memory.dmp file that you copied. See the example below.

    WinDbg img.

  7. There should be a link that says !analyze -v under Bugcheck Assay. Click that link. This will enter the command !analyze -v in the prompt at the bottom of the page.

  8. A detailed bugcheck assay will announced. See the example below.

    Bugcheck analysis.

  9. Scroll downwards to the section where it says STACK_TEXT. There will exist rows of numbers with each row followed by a colon and some text. That text should tell yous what DLL is causing the crash and if applicable what service is crashing the DLL.

  10. See Using the !clarify Extension for details nearly how to interpret the STACK_TEXT output.

At that place are many possible causes of a bugcheck and each case is unique. In the example provided above, the important lines that can be identified from the STACK_TEXT are 20, 21, and 22:

(HEX data is removed here and lines are numbered for clarity)

              one  : nt!KeBugCheckEx 2  : nt!PspCatchCriticalBreak+0xff 3  : nt!PspTerminateAllThreads+0x1134cf 4  : nt!PspTerminateProcess+0xe0 5  : nt!NtTerminateProcess+0xa9 6  : nt!KiSystemServiceCopyEnd+0x13 seven  : nt!KiServiceLinkage 8  : nt!KiDispatchException+0x1107fe 9  : nt!KiFastFailDispatch+0xe4 10 : nt!KiRaiseSecurityCheckFailure+0x3d3 11 : ntdll!RtlpHpFreeWithExceptionProtection$filt$0+0x44 12 : ntdll!_C_specific_handler+0x96 thirteen : ntdll!RtlpExecuteHandlerForException+0xd 14 : ntdll!RtlDispatchException+0x358 fifteen : ntdll!KiUserExceptionDispatch+0x2e 16 : ntdll!RtlpHpVsContextFree+0x11e 17 : ntdll!RtlpHpFreeHeap+0x48c eighteen : ntdll!RtlpHpFreeWithExceptionProtection+0xda xix : ntdll!RtlFreeHeap+0x24a 20 : FWPolicyIOMgr!FwBinariesFree+0xa7c2 21 : mpssvc!FwMoneisDiagEdpPolicyUpdate+0x1584f 22 : mpssvc!FwEdpMonUpdate+0x6c 23 : ntdll!RtlpWnfWalkUserSubscriptionList+0x29b 24 : ntdll!RtlpWnfProcessCurrentDescriptor+0x105 25 : ntdll!RtlpWnfNotificationThread+0x80 26 : ntdll!TppExecuteWaitCallback+0xe1 27 : ntdll!TppWorkerThread+0x8d0 28 : KERNEL32!BaseThreadInitThunk+0x14 29 : ntdll!RtlUserThreadStart+0x21

The problem here is with mpssvc which is a component of the Windows Firewall. The problem was repaired by disabling the firewall temporarily and then resetting firewall policies.

Additional examples are provided in the Debugging examples section at the bottom of this article.

Video resources

The following videos illustrate various troubleshooting techniques for analyzing dump files.

  • Analyze Dump File
  • Installing Debugging Tool for Windows (x64 and x86)
  • Debugging kernel mode crash memory dumps
  • Special Pool

Advanced troubleshooting using Driver Verifier

We judge that well-nigh 75 percent of all Stop errors are caused by faulty drivers. The Commuter Verifier tool provides several methods to aid you lot troubleshoot. These include running drivers in an isolated retentivity pool (without sharing memory with other components), generating extreme memory force per unit area, and validating parameters. If the tool encounters errors in the execution of driver lawmaking, it proactively creates an exception to let that part of the code be examined further.

Warning

Commuter Verifier consumes lots of CPU and can tiresome downward the computer significantly. You may likewise experience boosted crashes. Verifier disables faulty drivers after a Stop mistake occurs, and continues to do this until you lot tin successfully restart the organisation and admission the desktop. You tin can likewise expect to see several dump files created.

Don't endeavor to verify all the drivers at one time. This can degrade operation and make the organization unusable. This also limits the effectiveness of the tool.

Employ the following guidelines when you use Commuter Verifier:

  • Test any "suspicious" drivers (drivers that were recently updated or that are known to be problematic).

  • If yous keep to experience not-analyzable crashes, try enabling verification on all third-political party and unsigned drivers.

  • Enable concurrent verification on groups of 10–20 drivers.

  • Additionally, if the reckoner cannot boot into the desktop considering of Driver Verifier, you lot can disable the tool past starting in Safe fashion. This is because the tool cannot run in Safe way.

For more information, see Commuter Verifier.

Common Windows End errors

This section doesn't contain a listing of all error codes, just since many fault codes accept the same potential resolutions, your best bet is to follow the steps below to troubleshoot your error.

The following table lists full general troubleshooting procedures for common Stop fault codes.

Stop error message and lawmaking Mitigation
VIDEO_ENGINE_TIMEOUT_DETECTED or VIDEO_TDR_TIMEOUT_DETECTED
Stop error lawmaking 0x00000141, or 0x00000117		 Contact the vendor of the listed display driver to get an advisable update for that driver.
DRIVER_IRQL_NOT_LESS_OR_EQUAL
Stop mistake lawmaking 0x0000000D1		 Utilize the latest updates for the driver by applying the latest cumulative updates for the system through the Microsoft Update Catalog website.Update an outdated NIC driver. Virtualized VMware systems oftentimes run "Intel(R) PRO/1000 MT Network Connection" (e1g6032e.sys). This driver is bachelor at http://downloadcenter.intel.com. Contact the hardware vendor to update the NIC driver for a resolution. For VMware systems, use the VMware integrated NIC driver (types VMXNET or VMXNET2 , VMXNET3 can exist used) instead of Intel e1g6032e.sys.
PAGE_FAULT_IN_NONPAGED_AREA
Cease error lawmaking 0x000000050		 If a commuter is identified in the Stop error message, contact the manufacturer for an update.If no updates are available, disable the driver, and monitor the system for stability. Run Chkdsk /f /r to detect and repair deejay errors. You lot must restart the organisation before the disk scan begins on a system partition. Contact the manufacturer for any diagnostic tools that they may provide for the hard deejay subsystem. Try to reinstall any application or service that was recently installed or updated. Information technology'southward possible that the crash was triggered while the arrangement was starting applications and reading the registry for preference settings. Reinstalling the application can fix corrupted registry keys.If the problem persists, and you take run a recent system state backup, try to restore the registry hives from the backup.
SYSTEM_SERVICE_EXCEPTION
Cease error code c000021a {Fatal System Error} The Windows SubSystem organization process terminated unexpectedly with a status of 0xc0000005. The system has been shut down.		 Use the Organization File Checker tool to repair missing or corrupted system files. The Organisation File Checker lets users scan for corruptions in Windows system files and restore corrupted files. For more than information, run across Apply the Arrangement File Checker tool.
NTFS_FILE_SYSTEM
Cease error lawmaking 0x000000024		 This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk drive. Corrupted drivers for difficult disks (SATA or IDE) can also adversely affect the arrangement's power to read and write to disk. Run any hardware diagnostics that are provided past the manufacturer of the storage subsystem. Use the browse disk tool to verify that there are no file system errors. To do this, right-click the bulldoze that y'all want to scan, select Properties, select Tools, and then select the Bank check now push button.Nosotros as well suggest that y'all update the NTFS file system driver (Ntfs.sys), and use the latest cumulative updates for the current operating arrangement that is experiencing the problem.
KMODE_EXCEPTION_NOT_HANDLED
Stop mistake code 0x0000001E		 If a driver is identified in the Stop fault message, disable or remove that commuter. Disable or remove whatsoever drivers or services that were recently added.

If the mistake occurs during the startup sequence, and the organization partition is formatted by using the NTFS file system, you lot might be able to utilise Safe mode to disable the commuter in Device Manager. To do this, follow these steps:

Go to Settings > Update & security > Recovery. Under Advanced startup, select Restart now. Later on your PC restarts to the Cull an option screen, select Troubleshoot > Advanced options > Startup Settings > Restart. Afterward the computer restarts, you lot'll see a list of options. Press 4 or F4 to start the computer in Safe mode. Or, if you intend to use the Internet while in Prophylactic mode, press 5 or F5 for the Safety Fashion with Networking option.
DPC_WATCHDOG_VIOLATION
Stop mistake lawmaking 0x00000133		 This Stop error code is caused past a faulty driver that does not complete its work within the allotted time frame in certain conditions. To enable us to assistance mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Terminate error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Bank check the system log in Effect Viewer for boosted error letters that might help identify the device or driver that is causing Stop fault 0x133. Verify that any new hardware that is installed is uniform with the installed version of Windows. For example, y'all tin get information well-nigh required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have admission to public symbols, you tin can load the c:\windows\memory.dmp file into the Debugger, and then refer to Determining the source of Issues Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012 to discover the problematic commuter from the memory dump.
USER_MODE_HEALTH_MONITOR
Cease error code 0x0000009E		 This Cease error indicates that a user-mode wellness cheque failed in a mode that prevents graceful shutdown. Therefore, Windows restores critical services past restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
This Stop error unremarkably occurs in a clustered surroundings, and the indicated faulty commuter is RHS.exe.Check the event logs for whatever storage failures to identify the failing process. Try to update the component or process that is indicated in the event logs. You should run across the post-obit consequence recorded:
Upshot ID: 4870
Source: Microsoft-Windows-FailoverClustering
Description: User manner health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID '%1', for '%2' seconds. Recovery action is taken. Review the Cluster logs to place the process and investigate which items might cause the procedure to hang.
For more information, run into "Why is my Failover Clustering node bluish screening with a End 0x0000009E?" Also, see the following Microsoft video What to do if a 9E occurs.

Debugging examples

Example one

This bugcheck is caused by a driver hang during upgrade, resulting in a bugcheck D1 in NDIS.sys (a Microsoft commuter). The IMAGE_NAME tells you lot the faulting driver, but since this is Microsoft driver it cannot be replaced or removed. The resolution method is to disable the network device in device managing director and try the upgrade again.

              2: kd> !clarify -v ******************************************************************************* *                                                                             * *                        Bugcheck Assay                                    * *                                                                             * *******************************************************************************  DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was fabricated to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high.  This is normally caused by drivers using improper addresses. If kernel debugger is available become stack backtrace. Arguments: Arg1: 000000000011092a, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000001, value 0 = read performance, 1 = write operation Arg4: fffff807aa74f4c4, address which referenced memory Debugging Details: ------------------  KEY_VALUES_STRING: one STACKHASH_ANALYSIS: 1 TIMELINE_ANALYSIS: 1 DUMP_CLASS: ane DUMP_QUALIFIER: 400 SIMULTANEOUS_TELSVC_INSTANCES:  0 SIMULTANEOUS_TELWP_INSTANCES:  0 BUILD_VERSION_STRING:  16299.15.amd64fre.rs3_release.170928-1534 SYSTEM_MANUFACTURER:  Alienware SYSTEM_PRODUCT_NAME:  Alienware 15 R2 SYSTEM_SKU:  Alienware 15 R2 SYSTEM_VERSION:  i.ii.viii BIOS_VENDOR:  Alienware BIOS_VERSION:  1.2.8 BIOS_DATE:  01/29/2016 BASEBOARD_MANUFACTURER:  Alienware BASEBOARD_PRODUCT:  Alienware 15 R2 BASEBOARD_VERSION:  A00 DUMP_TYPE:  2 BUGCHECK_P1: 11092a BUGCHECK_P2: 2 BUGCHECK_P3: i BUGCHECK_P4: fffff807aa74f4c4 WRITE_ADDRESS: fffff80060602380: Unable to get MiVisibleState Unable to get NonPagedPoolStart Unable to get NonPagedPoolEnd Unable to get PagedPoolStart Unable to become PagedPoolEnd 000000000011092a  CURRENT_IRQL:  2 FAULTING_IP:  NDIS!NdisQueueIoWorkItem+4 [minio\ndis\sys\miniport.c @ 9708] fffff807`aa74f4c4 48895120        mov     qword ptr [rcx+20h],rdx CPU_COUNT: eight CPU_MHZ: a20 CPU_VENDOR:  GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 5e CPU_STEPPING: 3 CPU_MICROCODE: 6,5e,three,0 (F,G,South,R)  SIG: BA'00000000 (cache) BA'00000000 (init) BLACKBOXPNP: 1 (!blackboxpnp) DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT BUGCHECK_STR:  AV PROCESS_NAME:  Arrangement ANALYSIS_SESSION_HOST:  SHENDRIX-DEV0 ANALYSIS_SESSION_TIME:  01-17-2019 11:06:05.0653 ANALYSIS_VERSION: ten.0.18248.1001 amd64fre TRAP_FRAME:  ffffa884c0c3f6b0 -- (.trap 0xffffa884c0c3f6b0) NOTE: The trap frame does not contain all registers. Some annals values may be zeroed or incorrect. rax=fffff807ad018bf0 rbx=0000000000000000 rcx=000000000011090a rdx=fffff807ad018c10 rsi=0000000000000000 rdi=0000000000000000 rip=fffff807aa74f4c4 rsp=ffffa884c0c3f840 rbp=000000002408fd00 r8=ffffb30e0e99ea30  r9=0000000001d371c1 r10=0000000020000080 r11=0000000000000000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0         nv up ei ng nz na pe nc NDIS!NdisQueueIoWorkItem+0x4: fffff807`aa74f4c4 48895120        mov     qword ptr [rcx+20h],rdx ds:00000000`0011092a=???????????????? Resetting default scope  LAST_CONTROL_TRANSFER:  from fffff800603799e9 to fffff8006036e0e0  STACK_TEXT:   ffffa884`c0c3f568 fffff800`603799e9 : 00000000`0000000a 00000000`0011092a 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx [minkernel\ntos\ke\amd64\procstat.asm @ 134]  ffffa884`c0c3f570 fffff800`60377d7d : fffff78a`4000a150 ffffb30e`03fba001 ffff8180`f0b5d180 00000000`000000ff : nt!KiBugCheckDispatch+0x69 [minkernel\ntos\ke\amd64\trap.asm @ 2998]  ffffa884`c0c3f6b0 fffff807`aa74f4c4 : 00000000`00000002 ffff8180`f0754180 00000000`00269fb1 ffff8180`f0754180 : nt!KiPageFault+0x23d [minkernel\ntos\ke\amd64\trap.asm @ 1248]  ffffa884`c0c3f840 fffff800`60256b63 : ffffb30e`0e18f710 ffff8180`f0754180 ffffa884`c0c3fa18 00000000`00000002 : NDIS!NdisQueueIoWorkItem+0x4 [minio\ndis\sys\miniport.c @ 9708]  ffffa884`c0c3f870 fffff800`60257bfd : 00000000`00000008 00000000`00000000 00000000`00269fb1 ffff8180`f0754180 : nt!KiProcessExpiredTimerList+0x153 [minkernel\ntos\ke\dpcsup.c @ 2078]  ffffa884`c0c3f960 fffff800`6037123a : 00000000`00000000 ffff8180`f0754180 00000000`00000000 ffff8180`f0760cc0 : nt!KiRetireDpcList+0x43d [minkernel\ntos\ke\dpcsup.c @ 1512]  ffffa884`c0c3fb60 00000000`00000000 : ffffa884`c0c40000 ffffa884`c0c39000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x5a [minkernel\ntos\ke\amd64\idle.asm @ 166]   RETRACER_ANALYSIS_TAG_STATUS:  Failed in getting KPCR for core 2 THREAD_SHA1_HASH_MOD_FUNC:  5b59a784f22d4b5cbd5a8452fe39914b8fd7961d THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  5643383f9cae3ca39073f7721b53f0c633bfb948 THREAD_SHA1_HASH_MOD:  20edda059578820e64b723e466deea47f59bd675 FOLLOWUP_IP:  NDIS!NdisQueueIoWorkItem+4 [minio\ndis\sys\miniport.c @ 9708] fffff807`aa74f4c4 48895120        mov     qword ptr [rcx+20h],rdx FAULT_INSTR_CODE:  20518948 FAULTING_SOURCE_LINE:  minio\ndis\sys\miniport.c FAULTING_SOURCE_FILE:  minio\ndis\sys\miniport.c FAULTING_SOURCE_LINE_NUMBER:  9708 FAULTING_SOURCE_CODE:     9704:     _In_ _Points_to_data_      PVOID                       WorkItemContext   9705:     )   9706: {   9707:  > 9708:     ((PNDIS_IO_WORK_ITEM)NdisIoWorkItemHandle)->Routine = Routine;   9709:     ((PNDIS_IO_WORK_ITEM)NdisIoWorkItemHandle)->WorkItemContext = WorkItemContext;   9710:    9711:     IoQueueWorkItem(((PNDIS_IO_WORK_ITEM)NdisIoWorkItemHandle)->IoWorkItem,   9712:                     ndisDispatchIoWorkItem,   9713:                     CriticalWorkQueue,  SYMBOL_STACK_INDEX:  iii SYMBOL_NAME:  NDIS!NdisQueueIoWorkItem+iv FOLLOWUP_NAME:  ndiscore MODULE_NAME: NDIS IMAGE_NAME:  NDIS.SYS DEBUG_FLR_IMAGE_TIMESTAMP:  0 IMAGE_VERSION:  ten.0.16299.99 DXGANALYZE_ANALYSIS_TAG_PORT_GLOBAL_INFO_STR:  Hybrid_FALSE DXGANALYZE_ANALYSIS_TAG_ADAPTER_INFO_STR:  GPU0_VenId0x1414_DevId0x8d_WDDM1.3_Active; STACK_COMMAND:  .thread ; .cxr ; kb BUCKET_ID_FUNC_OFFSET:  iv FAILURE_BUCKET_ID:  AV_NDIS!NdisQueueIoWorkItem BUCKET_ID:  AV_NDIS!NdisQueueIoWorkItem PRIMARY_PROBLEM_CLASS:  AV_NDIS!NdisQueueIoWorkItem TARGET_TIME:  2017-12-10T14:16:08.000Z OSBUILD:  16299 OSSERVICEPACK:  98 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK:  784 PRODUCT_TYPE:  ane OSPLATFORM_TYPE:  x64 OSNAME:  Windows 10 OSEDITION:  Windows x WinNt TerminalServer SingleUserTS Personal OS_LOCALE:   USER_LCID:  0 OSBUILD_TIMESTAMP:  2017-11-26 03:49:twenty BUILDDATESTAMP_STR:  170928-1534 BUILDLAB_STR:  rs3_release BUILDOSVER_STR:  10.0.16299.xv.amd64fre.rs3_release.170928-1534 ANALYSIS_SESSION_ELAPSED_TIME:  8377 ANALYSIS_SOURCE:  KM FAILURE_ID_HASH_STRING:  km:av_ndis!ndisqueueioworkitem FAILURE_ID_HASH:  {10686423-afa1-4852-ad1b-9324ac44ac96} FAILURE_ID_REPORT_LINK: https://go.microsoft.com/fwlink/?LinkID=397724&FailureHash=10686423-afa1-4852-ad1b-9324ac44ac96 Followup:     ndiscore ---------

Example 2

In this instance, a non-Microsoft driver caused folio mistake, so nosotros don't have symbols for this driver. However, looking at IMAGE_NAME and or MODULE_NAME indicates it's WwanUsbMP.sys that caused the result. Disconnecting the device and retrying the upgrade is a possible solution.

              1: kd> !analyze -5 ******************************************************************************* *                                                                             * *                        Bugcheck Analysis                                    * *                                                                             * *******************************************************************************  PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced.  This cannot be protected by try-except. Typically the address is but plain bad or it is pointing at freed memory. Arguments: Arg1: 8ba10000, retentiveness referenced. Arg2: 00000000, value 0 = read operation, 1 = write performance. Arg3: 82154573, If non-nothing, the pedagogy accost which referenced the bad memory                 address. Arg4: 00000000, (reserved)  Debugging Details: ------------------  *** Alert: Unable to verify timestamp for WwanUsbMp.sys *** ERROR: Module load completed but symbols could not exist loaded for WwanUsbMp.sys  KEY_VALUES_STRING: ane STACKHASH_ANALYSIS: 1 TIMELINE_ANALYSIS: i DUMP_CLASS: i DUMP_QUALIFIER: 400 BUILD_VERSION_STRING:  16299.15.x86fre.rs3_release.170928-1534 MARKER_MODULE_NAME:  IBM_ibmpmdrv SYSTEM_MANUFACTURER:  LENOVO SYSTEM_PRODUCT_NAME:  20AWS07H00 SYSTEM_SKU:  LENOVO_MT_20AW_BU_Think_FM_ThinkPad T440p SYSTEM_VERSION:  ThinkPad T440p BIOS_VENDOR:  LENOVO BIOS_VERSION:  GLET85WW (ii.39 ) BIOS_DATE:  09/29/2016 BASEBOARD_MANUFACTURER:  LENOVO BASEBOARD_PRODUCT:  20AWS07H00 BASEBOARD_VERSION:  Not Defined DUMP_TYPE:  2 BUGCHECK_P1: ffffffff8ba10000 BUGCHECK_P2: 0 BUGCHECK_P3: ffffffff82154573 BUGCHECK_P4: 0 READ_ADDRESS: 822821d0: Unable to get MiVisibleState 8ba10000  FAULTING_IP:  nt!memcpy+33 [minkernel\crts\crtw32\string\i386\memcpy.asm @ 213 82154573 f3a5            rep movs dword ptr es:[edi],dword ptr [esi] MM_INTERNAL_CODE:  0 CPU_COUNT: 4 CPU_MHZ: 95a CPU_VENDOR:  GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 3c CPU_STEPPING: 3 CPU_MICROCODE: half dozen,3c,3,0 (F,Grand,South,R)  SIG: 21'00000000 (cache) 21'00000000 (init) BLACKBOXBSD: 1 (!blackboxbsd) BLACKBOXPNP: 1 (!blackboxpnp) DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT BUGCHECK_STR:  AV PROCESS_NAME:  Organisation CURRENT_IRQL:  2 ANALYSIS_SESSION_HOST:  SHENDRIX-DEV0 ANALYSIS_SESSION_TIME:  01-17-2019 10:54:53.0780 ANALYSIS_VERSION: ten.0.18248.1001 amd64fre TRAP_FRAME:  8ba0efa8 -- (.trap 0xffffffff8ba0efa8) ErrCode = 00000000 eax=8ba1759e ebx=a2bfd314 ecx=00001d67 edx=00000002 esi=8ba10000 edi=a2bfe280 eip=82154573 esp=8ba0f01c ebp=8ba0f024 iopl=0         nv up ei pl nz ac pe nc cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010216 nt!memcpy+0x33: 82154573 f3a5            rep movs dword ptr es:[edi],dword ptr [esi] Resetting default scope LOCK_ADDRESS:  8226c6e0 -- (!locks 8226c6e0) Cannot become _ERESOURCE type Resource @ nt!PiEngineLock (0x8226c6e0)    Available 1 total locks PNP_TRIAGE_DATA:                  Lock address  : 0x8226c6e0                 Thread Count  : 0                 Thread address: 0x00000000                 Thread look   : 0x0  LAST_CONTROL_TRANSFER:  from 82076708 to 821507e8  STACK_TEXT:   8ba0ede4 82076708 00000050 8ba10000 00000000 nt!KeBugCheckEx [minkernel\ntos\ke\i386\procstat.asm @ 114]  8ba0ee40 8207771e 8ba0efa8 8ba10000 8ba0eea0 nt!MiSystemFault+0x13c8 [minkernel\ntos\mm\mmfault.c @ 4755]  8ba0ef08 821652ac 00000000 8ba10000 00000000 nt!MmAccessFault+0x83e [minkernel\ntos\mm\mmfault.c @ 6868]  8ba0ef08 82154573 00000000 8ba10000 00000000 nt!_KiTrap0E+0xec [minkernel\ntos\ke\i386\trap.asm @ 5153]  8ba0f024 86692866 a2bfd314 8ba0f094 0000850a nt!memcpy+0x33 [minkernel\crts\crtw32\string\i386\memcpy.asm @ 213]  8ba0f040 866961bc 8ba0f19c a2bfd0e8 00000000 NDIS!ndisMSetPowerManagementCapabilities+0x8a [minio\ndis\sys\miniport.c @ 7969]  8ba0f060 866e1f66 866e1caf adfb9000 00000000 NDIS!ndisMSetGeneralAttributes+0x23d [minio\ndis\sys\miniport.c @ 8198]  8ba0f078 ac50c15f a2bfd0e8 0000009f 00000001 NDIS!NdisMSetMiniportAttributes+0x2b7 [minio\ndis\sys\miniport.c @ 7184]  Alarm: Stack unwind information not available. Post-obit frames may be wrong. 8ba0f270 ac526f96 adfb9000 a2bfd0e8 8269b9b0 WwanUsbMp+0x1c15f 8ba0f3cc 866e368a a2bfd0e8 00000000 8ba0f4c0 WwanUsbMp+0x36f96 8ba0f410 867004b0 a2bfd0e8 a2bfd0e8 a2be2a70 NDIS!ndisMInvokeInitialize+0x60 [minio\ndis\sys\miniport.c @ 13834]  8ba0f7ac 866dbc8e a2acf730 866b807c 00000000 NDIS!ndisMInitializeAdapter+0xa23 [minio\ndis\sys\miniport.c @ 601]  8ba0f7d8 866e687d a2bfd0e8 00000000 00000000 NDIS!ndisInitializeAdapter+0x4c [minio\ndis\sys\initpnp.c @ 931]  8ba0f800 866e90bb adfb64d8 00000000 a2bfd0e8 NDIS!ndisPnPStartDevice+0x118 [minio\ndis\sys\configm.c @ 4235]  8ba0f820 866e8a58 adfb64d8 a2bfd0e8 00000000 NDIS!ndisStartDeviceSynchronous+0xbd [minio\ndis\sys\ndispnp.c @ 3096]  8ba0f838 866e81df adfb64d8 8ba0f85e 8ba0f85f NDIS!ndisPnPIrpStartDevice+0xb4 [minio\ndis\sys\ndispnp.c @ 1067]  8ba0f860 820a7e98 a2bfd030 adfb64d8 8ba0f910 NDIS!ndisPnPDispatch+0x108 [minio\ndis\sys\ndispnp.c @ 2429]  8ba0f878 8231f07e 8ba0f8ec adf5d4c8 872e2eb8 nt!IofCallDriver+0x48 [minkernel\ntos\io\iomgr\iosubs.c @ 3149]  8ba0f898 820b8569 820c92b8 872e2eb8 8ba0f910 nt!PnpAsynchronousCall+0x9e [minkernel\ntos\io\pnpmgr\irp.c @ 3005]  8ba0f8cc 820c9a76 00000000 820c92b8 872e2eb8 nt!PnpSendIrp+0x67 [minkernel\ntos\io\pnpmgr\irp.h @ 286]  8ba0f914 8234577b 872e2eb8 adf638b0 adf638b0 nt!PnpStartDevice+0x60 [minkernel\ntos\io\pnpmgr\irp.c @ 3187]  8ba0f94c 82346cc7 872e2eb8 adf638b0 adf638b0 nt!PnpStartDeviceNode+0xc3 [minkernel\ntos\io\pnpmgr\showtime.c @ 1712]  8ba0f96c 82343c68 00000000 a2bdb3d8 adf638b0 nt!PipProcessStartPhase1+0x4d [minkernel\ntos\io\pnpmgr\start.c @ 114]  8ba0fb5c 824db885 8ba0fb80 00000000 00000000 nt!PipProcessDevNodeTree+0x386 [minkernel\ntos\io\pnpmgr\enum.c @ 6129]  8ba0fb88 8219571b 85852520 8c601040 8226ba90 nt!PiRestartDevice+0x91 [minkernel\ntos\io\pnpmgr\enum.c @ 4743]  8ba0fbe8 820804af 00000000 00000000 8c601040 nt!PnpDeviceActionWorker+0xdb4b7 [minkernel\ntos\io\pnpmgr\action.c @ 674]  8ba0fc38 8211485c 85852520 421de295 00000000 nt!ExpWorkerThread+0xcf [minkernel\ntos\ex\worker.c @ 4270]  8ba0fc70 82166785 820803e0 85852520 00000000 nt!PspSystemThreadStartup+0x4a [minkernel\ntos\ps\psexec.c @ 7756]  8ba0fc88 82051e07 85943940 8ba0fcd8 82051bb9 nt!KiThreadStartup+0x15 [minkernel\ntos\ke\i386\threadbg.asm @ 82]  8ba0fc94 82051bb9 8b9cc600 8ba10000 8ba0d000 nt!KiProcessDeferredReadyList+0x17 [minkernel\ntos\ke\thredsup.c @ 5309]  8ba0fcd8 00000000 00000000 00000000 00000000 nt!KeSetPriorityThread+0x249 [minkernel\ntos\ke\thredobj.c @ 3881]    RETRACER_ANALYSIS_TAG_STATUS:  Failed in getting KPCR for cadre 1 THREAD_SHA1_HASH_MOD_FUNC:  e029276c66aea80ba36903e89947127118d31128 THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  012389f065d31c8eedd6204846a560146a38099b THREAD_SHA1_HASH_MOD:  44dc639eb162a28d47eaeeae4afe6f9eeccced3d FOLLOWUP_IP:  WwanUsbMp+1c15f ac50c15f 8bf0            mov     esi,eax FAULT_INSTR_CODE:  f33bf08b SYMBOL_STACK_INDEX:  eight SYMBOL_NAME:  WwanUsbMp+1c15f FOLLOWUP_NAME:  MachineOwner MODULE_NAME: WwanUsbMp IMAGE_NAME:  WwanUsbMp.sys DEBUG_FLR_IMAGE_TIMESTAMP:  5211bb0c DXGANALYZE_ANALYSIS_TAG_PORT_GLOBAL_INFO_STR:  Hybrid_FALSE DXGANALYZE_ANALYSIS_TAG_ADAPTER_INFO_STR:  GPU0_VenId0x1414_DevId0x8d_WDDM1.3_NotActive;GPU1_VenId0x8086_DevId0x416_WDDM1.3_Active_Post; STACK_COMMAND:  .thread ; .cxr ; kb BUCKET_ID_FUNC_OFFSET:  1c15f FAILURE_BUCKET_ID:  AV_R_INVALID_WwanUsbMp!unknown_function BUCKET_ID:  AV_R_INVALID_WwanUsbMp!unknown_function PRIMARY_PROBLEM_CLASS:  AV_R_INVALID_WwanUsbMp!unknown_function TARGET_TIME:  2018-02-12T11:33:51.000Z OSBUILD:  16299 OSSERVICEPACK:  15 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK:  272 PRODUCT_TYPE:  i OSPLATFORM_TYPE:  x86 OSNAME:  Windows 10 OSEDITION:  Windows ten WinNt TerminalServer SingleUserTS OS_LOCALE:   USER_LCID:  0 OSBUILD_TIMESTAMP:  2017-09-28 18:32:28 BUILDDATESTAMP_STR:  170928-1534 BUILDLAB_STR:  rs3_release BUILDOSVER_STR:  10.0.16299.15.x86fre.rs3_release.170928-1534 ANALYSIS_SESSION_ELAPSED_TIME:  162bd ANALYSIS_SOURCE:  KM FAILURE_ID_HASH_STRING:  km:av_r_invalid_wwanusbmp!unknown_function FAILURE_ID_HASH:  {31e4d053-0758-e43a-06a7-55f69b072cb3} FAILURE_ID_REPORT_LINK: https://become.microsoft.com/fwlink/?LinkID=397724&FailureHash=31e4d053-0758-e43a-06a7-55f69b072cb3  Followup:     MachineOwner ---------  ReadVirtual: 812d1248 not properly sign extended

References

Bug Check Code Reference