BSOD error X8E

[sdogg201]

Ok really getting tired of this PC resets by itself ran virus scan clean tried WINDBG tool kinda lost says cant load symbols and something to do with Probably caused by : ntoskrnl.exe ( nt+c802 )
Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+
Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB
So I cant figure it out at all tried the path even download symbols I dont know really at a loss here

 

[EZ123]

Can you run command prompt and type the following "fltmc filters" and post the output here ?

your problem relates to a conflict between two or more products. giving the output I may be able to figure our with which products.

Currently I suspect ZoneAlarm and kasparsky products.

EZ

 

[sdogg201]

umm im not sure if you want me to run in a the windbg or start run cmd but i will try both ok in dos i get
filter name: KLIF Num indtances 4 frame 0 under KLIF says sr then accross from that says <legacy> i am sorry not to tech savvy lol

 

[sdogg201]

the windbg report

here is what i get with windbg its saved to note pad i hope its what ur looking for i have a cant load symbols problem trying to download the symbols and change path now I also stopped zonealarm and now get error 0X50 so im at a loss

 

[sdogg201]

now error code 0X50

dont know why im getting this one now when zonealarm is shut down

 

[Route44]

I read your dumps and the first is 0x8E and only cited a Windows driver which is too general to be of much help. However, erros these are almost always caused by hardware and are particularly a strong indicator of corrupted memory.

Your second error is 0x00000050: PAGE_FAULT_IN_NONPAGED_AREA
Requested data was not in memory. An invalid system memory address was referenced. Defective memory (including main memory, L2 RAM cache, video RAM) or incompatible software (including remote control and antivirus software) might cause this Stop message, as may other hardware problems (e.g., incorrect SCSI termination or a flawed PCI card).

Again, this can be caused by bad RAM but other causes as well. Nothing definitive was cited.

* Thus, going with what EZ123 suggests that there appears to be a conflict between Kaspersky and ZA keep in mind that shutting down a software and uninstalling it are not the same thing because even while shutdown drivers for said software are still present and can still be active causing conflicts.

Are Kaspersky and ZA both security suits?

 

[EZ123]

KLIF is kasparscy anti root kit driver. try to uninstall any of kasparscy products you have installed.

the first minidump you provide seems to relates to a faulty mini-filter driver. by running fltmc filters you have provided all of your installed mini-filters. the only one is KLIF so I am guessing this one faults.

You may have other faults, but the first minidump seems to be relates to KLIF.

Let us know if it solves the problem.

as route44 stated. uninstalling and disabling are not the same thing. by disabling a product you mostly keep all executables running but on a bypass state.

EZ

 

[EZ123]

Route44, if it does intrests you why I consider one of those products to be the fault drivers, I attached my analysis log for you (or anyone else) to look at.

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: b05af080, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: b05af080, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS:  b05af080 

FAULTING_IP: 
+ffffffffb05af080
b05af080 ??              ???

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  System

LAST_CONTROL_TRANSFER:  from 804e3802 to b05af080

FAILED_INSTRUCTION_ADDRESS: 
+ffffffffb05af080
b05af080 ??              ???

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7b05aec 804e3802 86be4618 f75df459 f7b05b38 0xb05af080
f7b05afc 804e37f7 86b89bc8 86292008 86292008 nt!KeInsertByKeyDeviceQueue+0x4
f7b05b38 804e37f7 86977d80 86292008 01880000 nt!IopfCallDriver+0x31
f7b05b48 804f95d8 00000000 86033218 86033228 nt!IopfCallDriver+0x31
f7b05b38 804e37f7 86977d80 86292008 01880000 nt!IopPageReadInternal+0xf4
f7b05b5c 804f95ff 86977d80 8603320a 86033230 nt!IopfCallDriver+0x31
f7b05b5c 804f95ff 86977d80 8603320a 86033230 nt!IoPageRead+0x1b
f7b05b7c 804f9264 8617d2c8 86033250 86033230 nt!IoPageRead+0x1b
f7b05bf0 804eba6a 24eab8c0 d6e80000 c035ba00 nt!MiDispatchFault+0x274
f7b05c40 804f67f3 00000000 d6e80000 00000000 nt!MmAccessFault+0x5bc
f7b05c80 804ff901 d6e80000 00000000 80557398 nt!MmCheckCachedPageState+0x461
f7b05d2c 804ff6b4 86beb090 805622c0 86bc5640 nt!CcPerformReadAhead+0x1f1
f7b05d74 804e426b 86beb090 00000000 86bc5640 nt!CcWorkerThread+0x147
f7b05dac 8057aeff 86beb090 00000000 00000000 nt!ExpWorkerThread+0x100
f7b05ddc 804f88ea 804e4196 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!KeInsertByKeyDeviceQueue+4
804e3802 ec              in      al,dx

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!KeInsertByKeyDeviceQueue+4

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  498c1a18

FAILURE_BUCKET_ID:  0x50_CODE_AV_BAD_IP_nt!KeInsertByKeyDeviceQueue+4

BUCKET_ID:  0x50_CODE_AV_BAD_IP_nt!KeInsertByKeyDeviceQueue+4

Followup: MachineOwner
---------

** stack frame shows a page read by the system process. the same crash was on the last dump by this time with 0x50 and
** last dump was on the firefox.exe process. both crash on KeInsertByKeyDeviceQueue+4.

** The operation here is an IRP (Io Request Packet) that is a read operation. what we can learn here is that the stack is not right.
** It does not make sense that a call to IopfCallDriver is calling directly IopfCallDriver. This happens mainly by drivers/functions that are not following the EBP rule. long story....

** Also the warning "Frame IP not in any known module" indicate that the stack shows here does not shows us the real story.

** I will try to resolve the stack now.

kd> !thread
GetPointerFromAddress: unable to read from 8055fbd4
THREAD 86bc5640  Cid 0004.0020  Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
Not impersonating
GetUlongFromAddress: unable to read from 8055fc6c
Owning Process            86bc69c8       Image:         System
ffdf0000: Unable to get shared data
Wait Start TickCount      1528025      
Context Switch Count      47645             
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Start Address nt!ExpWorkerThread (0x804e4196)

* here I can see the stack init and the limit. I will look at the stack and try to resolve it by hand.

kd> dds f7b03000 f7b06000 ** I have cut here to reduce number of characters.
f7b05a8c  00000000
f7b05a90  8054ba10 nt!ExAllocatePoolWithTag+0x4a9
f7b05a94  00000008
f7b05a98  8054bdb9 nt!ExAllocatePoolWithTag+0x7af
f7b05a9c  00000000
f7b05aa0  ffdff120
f7b05aa4  ffffffff
f7b05aa8  86be4618
f7b05aac  00000000
f7b05ab0  00000023
f7b05ab4  00000023
f7b05ab8  86292008
f7b05abc  f753e025 Ntfs!NtfsFsdRead+0x2a9
f7b05ac0  00000000
f7b05ac4  00000000
f7b05ac8  f7b05d1c
f7b05acc  00000030
f7b05ad0  86977d80
f7b05ad4  86bcaa18
f7b05ad8  86a076e8
f7b05adc  f7b05afc
f7b05ae0  00000000
f7b05ae4  b05af080
f7b05ae8  00000008
f7b05aec  00010246
f7b05af0  804e3802 nt!KeInsertByKeyDeviceQueue+0x4
f7b05af4  86be4618
f7b05af8  f75df459 sr!SrPassThrough+0x31
f7b05afc  f7b05b38
f7b05b00  804e37f7 nt!IopfCallDriver+0x31
f7b05b04  86b89bc8
f7b05b08  86292008
f7b05b0c  86292008
f7b05b10  f75f509e fltMgr!FltpDispatch+0x152
f7b05b14  86033228
f7b05b18  86b88280
f7b05b1c  8617d2c8
f7b05b20  86a076e8
f7b05b24  86292008
f7b05b28  00000000
f7b05b2c  ffffffff
f7b05b30  00000000
f7b05b34  00000008
f7b05b38  f7b05b5c
f7b05b3c  804e37f7 nt!IopfCallDriver+0x31
f7b05b40  86977d80
f7b05b44  86292008
f7b05b48  01880000
f7b05b4c  804f95d8 nt!IopPageReadInternal+0xf4
f7b05b50  00000000
f7b05b54  86033218
f7b05b58  86033228
f7b05b5c  f7b05b7c
f7b05b60  804f95ff nt!IoPageRead+0x1b
f7b05b64  86977d80
f7b05b68  8603320a
f7b05b6c  86033230
f7b05b70  86033218
f7b05b74  86033228
f7b05b78  00000000
f7b05b7c  f7b05bf0
f7b05b80  804f9264 nt!MiDispatchFault+0x274
f7b05b84  8617d2c8
f7b05b88  86033250
f7b05b8c  86033230
f7b05b90  86033218
f7b05b94  86033228
f7b05b98  806f0298 hal!KeRaiseIrqlToDpcLevel
f7b05b9c  c035ba00
f7b05ba0  0029cc00
f7b05ba4  01880000
f7b05ba8  00000000
f7b05bac  804f31e4 nt!CcGetVacbMiss+0x4d0
f7b05bb0  00000000
f7b05bb4  00000000
f7b05bb8  85fcecf8
f7b05bbc  00040000
f7b05bc0  00000000
f7b05bc4  00000000
f7b05bc8  00000000
f7b05bcc  00000000
f7b05bd0  00000000
f7b05bd4  00000000
f7b05bd8  00033a29
f7b05bdc  00000000
f7b05be0  00000000
f7b05be4  00000000
f7b05be8  e10a7200
f7b05bec  86033218
f7b05bf0  f7b05c40
f7b05bf4  804eba6a nt!MmAccessFault+0x5bc
f7b05bf8  24eab8c0
f7b05bfc  d6e80000
f7b05c00  c035ba00
f7b05c04  e10a7200
f7b05c08  00000000
f7b05c0c  f7b05c34
f7b05c10  c035ba00
f7b05c14  c038429c
f7b05c18  40000000
f7b05c1c  86bc69c8
f7b05c20  00000000
f7b05c24  f7b05bb0
f7b05c28  00000000
f7b05c2c  f7b05d1c
f7b05c30  00000000
f7b05c34  00000000
f7b05c38  ffffffff
f7b05c3c  004f31e4
f7b05c40  f7b05c80
f7b05c44  804f67f3 nt!MmCheckCachedPageState+0x461
f7b05c48  00000000
f7b05c4c  d6e80000
f7b05c50  00000000
f7b05c54  00000000
f7b05c58  00010000
f7b05c5c  85fcecf8
f7b05c60  0000000f
f7b05c64  00000004
f7b05c68  81cf4508
f7b05c6c  86bc5640
f7b05c70  00000000
f7b05c74  c035ba00
f7b05c78  e10a7200
f7b05c7c  00fcecf8
f7b05c80  f7b05d2c
f7b05c84  804ff901 nt!CcPerformReadAhead+0x1f1
f7b05c88  d6e80000
f7b05c8c  00000000
f7b05c90  80557398 nt!CcExpressWorkQueue
f7b05c94  85f662f0
f7b05c98  00000000
f7b05c9c  01880000
f7b05ca0  00000000
f7b05ca4  01890000
f7b05ca8  00000000
f7b05cac  01880000
f7b05cb0  00000000
f7b05cb4  00010000
f7b05cb8  00010000
f7b05cbc  01880000
f7b05cc0  00000000
f7b05cc4  00010000
f7b05cc8  85fcedd0
f7b05ccc  0000000e
f7b05cd0  85fcecf8
f7b05cd4  00000010
f7b05cd8  00000000
f7b05cdc  00000001
f7b05ce0  00000000
f7b05ce4  8617d2c8
f7b05ce8  00000001

** looking at the offset f7b05af0 in the stack, we can see the last function we have seen on the !analyze -v stack.
** looking deeper, we can see other entries. but still lets try to resolve the stack.

kd> kv L=f7b05ab8
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7b05aec 804e3802 86be4618 f75df459 f7b05b38 0xb05af080
f7b05af4 f75df459 f7b05b38 804e37f7 86b89bc8 nt!KeInsertByKeyDeviceQueue+0x4 (FPO: [Non-Fpo])
f7b05b0c f75f509e 86033228 86b88280 8617d2c8 sr!SrPassThrough+0x31 (FPO: [Non-Fpo])
86292008 86033250 00000043 00000000 86292018 fltMgr!FltpDispatch+0x152 (FPO: [Non-Fpo])
86292014 86292018 86292018 00000000 00010000 0x86033250
00000000 00000000 00000000 00000000 00000000 0x86292018

** now it seems that both sr.sys and fltMgr.sys were on the stack. Here is the reason I asked for fltmc filters. It provides me with the 
** information which mini-filters exists on his system. Currently the only one is KLIF so it would be intresting to see that driver removed.

** sr.sys is the system restore driver and I doubt it is the root cause.

 

[sdogg201]

ok guys thank you very much I will uninstall kaspersky and zone alarm as they are in a suite weird to me though because i remember a few years ago running zonealarm when I have kaspersky antivirus and they would not work together its funny they would put them in a sercurity suite

 

[Route44]

Well as EZ123 will tell if you have security software running in real time protection (always running in the background because it is constantly monitoring) then the basic rule of thumb is ONE antivirus, ONE firewall, and ONE antispyware/software at any given time.

Otherwise they will conflict with each other. Just uninstall ZA and see if that brings stability.

 

[EZ123]

Route44, I a reply to your PM but unfortounalty I still am on 35 posts and cant answer

You will have to wait 10 more posts for me to answer .

 

[Route44]

Route44, I a reply to your PM but unfortounalty I still am on 35 posts and cant answer

You will have to wait 10 more posts for me to answer .

No problem! Glad you're here. Nice pick up on the Kaspersky/ZA thing. Hopefully sdogg201 will soon have his system stabilized.

 

[sdogg201]

Beleive its Solved

OK I think I got it guys thank you a TON! it was zone alrm and i know the rul 1 antivirus 1 fire wall the problem with that is it was zonealarm security suite so it was an all in one program so I uninstalled it and went with AVG and windows firewall and so far so good no resets since my last post guys thank you again!!!!

 

[Route44]

First, you're welcome. Hats off to EZ123 for spotting the ZA thing. Second I strongl;y suggest not using XP firewall because it is very poor as firewalls go.

Let me suggest two excellent free ones. Online Armor has both a $ version (which I use) and a free version which I also use on another PC system and a laptop. The good news is they just released a brand new version of both $ and free editions.

COMODO is the other excellent and free firewall.

Both have excellent support communities so I suggest checking them out. Also, Avira Antivir and Avast 4.8 may be other considerations for an antivirus for future reference. Both offer excellent free versions and they7 update daily

 

[sdogg201]

Solved 1 problem now whats wrong gerrrr lol

ok now this pops up dont know what the heck it is now

 

[Route44]

To quote what I said in post #6 because your current minidump reports it is the same error and the same outcome: I read your dumps and the first is 0x8E and only cited a Windows driver which is too general to be of much help. However, errors these are almost always caused by hardware and are particularly a strong indicator of corrupted memory.

^ Run Memtest on your RAM. See link and follow the steps: https://www.techspot.com/vb/topic62524.html

This really needs to run for at least 7 PASSES. This takes time and many people will start it before going to bed and check it the next day.

If you have any errors you have corrupted memory that must be replaced.