BSOD: IRQL_... caused by ntkrnlpa.exe

davidbaldwin

Posts: 22   +0
Hello folks,

I was able to mysteriously get though this before but it has come back. Used BlueScreenView to isolate the cause but it's pointing to NT Kernel. What next?

==================================================
Dump File : Mini020111-02.dmp
Crash Time : 2/1/2011 8:18:43 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 0x0000100d
Parameter 2 : 0x0000001b
Parameter 3 : 0x00000001
Parameter 4 : 0x824f35ae
Caused By Driver : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+4dfd9
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6002.18267 (vistasp2_gdr.100608-0458)
Processor : 32-bit
Computer Name :
Full Path : C:\Windows\Minidump\Mini020111-02.dmp
Processors Count : 4
Major Version : 15
Minor Version : 6002
Dump File Size : 133,472
==================================================

==================================================
Dump File : Mini020111-01.dmp
Crash Time : 2/1/2011 7:45:37 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x0000000a
Parameter 1 : 0x0000100d
Parameter 2 : 0x0000001b
Parameter 3 : 0x00000001
Parameter 4 : 0x824e55ae
Caused By Driver : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+4dfd9
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6002.18267 (vistasp2_gdr.100608-0458)
Processor : 32-bit
Computer Name :
Full Path : C:\Windows\Minidump\Mini020111-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 6002
Dump File Size : 133,472
==================================================

I can start in safe mode. I haven't added any hardware or software since my last successful boot. Seatools passed my hard drive recently. I will run the Diagnostics CD again to see if anything comes up - but this apears to be software. This BSOD is occurring on every NORMAL start now (out of the Blue!)
The 3rd crash shows a similar but slightly different 4th parameter, as did crash 1 and 2.

According to ntbtlog.txt (attached), ntkrnlpa.exe is the first driver that Windows loads, and after crcdisk.sys, there is a LOT of drivers that don't load, and repetition? trying to re-load those drivers.

Any help would be much appreciated. Windows Mem Diagnostic ok. Carrying on with other diags.
 

Attachments

  • ntbtlog.txt
    153.8 KB · Views: 3
If you can start and run in Safe Mode this is a strong indicator that issue is with drivers. I want you to do the following and I will read your minidumps for you.

How to find and post your Minidump Files:

My Computer > C Drive > Windows Folder > Minidump Folder > Minidump Files.

It is these files that we need (not the folder). Attach to your next post the five most recent dumps. Notice the Manage Attachments button at the bottom when you go to post the next time. You can Zip up to five files per Zip; if you only have one or two you don’t need to zip them, just attach as is. Please do us a favor and don’t Zip each one individually.
 
Hello Route 44,
thank you.

I will get those mini-dumps to you later.
I ran system repair again and this time chose to do the irreversible system restore (which I chose not to do last time).
The system started. I don't know what changes took place to create the prob.
I have to run now so I'll get back to this. Whatever it was might come back.
 
I'm back.

I have attached the 1 and only mini dump file that was in that folder. I'm not sure why there's only one, since the system crashed multiple times.
The Startup and Recovery settings are shown in the attached jpeg.
I have a 179MB memory.dmp file in C:\Windows, and this 130KB file (attached).
I am using the (system restored) computer to send this (Windows started normally).

I certainly appreciate any assistance reading the .dmp to understand why this happened so I can hopefully prevent it from happening again. Ruined my day.

Thanks
Dave
 

Attachments

  • System Failure.jpg
    System Failure.jpg
    32.5 KB · Views: 5
  • Mini020111-01.dmp
    130.3 KB · Views: 12
As per your minidump file your issue is with the pxrts.sys driver. This belongs to Prevx Realtime Scanner belonging to the product Prevx Edge.

This engages everytime you boot-up.
 
Thank you!

Interesting... I have used PREVX for years. I also remember it wasn't responding prior to my restart and the BSOD problem.

I should also state that when I first ran System Repair, and declined the system restore, it went on to try to repair my computer and part of that is the System File Integrity Check & Repair. That failed with error code 0x2, but didn't say what file or files caused the error.

As I sit here with a restored system, I ran sfc /verifyonly and it came up good -
Verification 100% complete.
Windows Resource Protection did not find any integrity violations.

I will contact PREVX with this story. Their tech support is always quick to respond.

Any other suggestions or information I can pass to them? Did the dump reveal any other details about how pxrts.sys crashed my system?
 
Just tell them your error code is 0xA: IRQL_NOT_LESS_OR_EQUAL
Typically due to a bad driver, or faulty or incompatible hardware or software. Technically, this error condition means that a kernel-mode process or driver tried to access a memory location to which it did not have permission, or at a kernel Interrupt ReQuest Level (IRQL) that was too high. (A kernel-mode process can access only other processes that have an IRQL lower than, or equal to, its own.)

They should know what this error code indicates so they don't need the definition. I added it to give you more information.

Keep us updated.
 
Happened again. Unfortunately I have not yet uninstalled and reinstalled Prevx, but I did contact their tech support and that is what they recommended I do.

I have attached the new mini-dump to this post, if Route44 or someone else would please take a look and speculate on what caused this crash.

Same error - same parameters.

After I send this post I will run sfc /verifyonly to see what comes up.
I will then uninstall Prevx.

I don't want to restore again until I have completed these two checks.
I will have access to another computer to read any replies.
Thanks!
 

Attachments

  • Mini020211-01.dmp
    130.3 KB · Views: 3
Thanks Route44. You are always there when I need you!

sfc /verifyonly
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection did not find any integrity violations.

surprising...no errors there.
I am in Safe Mode with Networking
 
When in Safe Mode Windows prevents many drivers from loading except the essential ones. The issue for you is when Windows loads fully along with third party software such as PREVX. The conflict occurs then.
 
I want to thank you again Route 44. :grinthumb

I uninstalled Prevx and the computer booted normally into Windows. Oh, and it boots faster too.

I have used Prevx for years on multiple computers. Not sure why it have me grief on this one. But so far so good and I'll leave it uninstalled until or unless I get a good explanation from Prevx. They're in Europe so they tend to answer tech support emails in the middle of our night.

Can I ask what utility you use to view the .dmp files?
 
Microsoft developed a Windows Debugging Tool in order to read minidump files. Many people make the mistake believing that when Windows Blue Screens it is malfunctioning but this is not the case at all. Windows is rather protecting the system before serious damage can occur. So when it shuts down in writes a minidump file for diagnostic purposes.

The things to look for in the minidump file are the Error Code and the Probable Cause. There is also a lot of other information I can't understand without more schooling but I have found that knowing these two pieces of information are often times more than sufficient. Knowing the OS which will be in the file is also important. There is also a gut instinct that develops over time. Often the only probable cause given is simple answers like hardware or OS drivers that are usually too general to be of much diagnostic help.

Well I probably rambled on and gave you more than you needed (or wanted) so here is the link: http://www.microsoft.com/whdc/devtools/debugging/installx86.Mspx

The tool itself doesn't take much time to install. It is the Symbol Packages that take a great deal of time however to install.
 
Again, I appreciate that very much.
Despite a blue screen being a Windows protective measure, it causes a lot of grief when it just won't stop or resolve itself. You have helped immensely and I'm relieved to have my computer up and running again.
I will post back if Prevx Support has anything valuable to pass on.
I might just post a link to this thread in the Prevx forum as well.
Cheers
:)
 
Well, Prevx have responded in a couple of ways.

Prevx Support have analyzed my mini.dmp and responded:
"We have identified the issue and a change will be included in the next update. pxrts.sys is removed during the normal uninstall routine but it is possible that because of the crash you experienced, it was not removed properly. If you try reinstalling and then uninstall, pxrts.sys should be automatically removed."
"The source of the conflict is difficult to identify and you are currently the only user to have reported the issue. You may wish to subscribe to the thread on Wilders Security so that you can be notified when we correct it."

The Prevx forum at Wilders Security has a Prevx Moderator called PrevxHelp, who also responded:
"However, I have analyzed your dump and indeed it is a bug in Prevx and ironically it is likely that it is also the cause for pxrts.sys not being uninstalled (as it is related to the self protection components around preventing pxrts.sys from being deleted)." Prevx Help also said "It is an incompatibility which has existed since the beginning of Prevx 3 but as it is a very stray condition, no one has actually encountered it before."

I think it's amazing that the answers match, since the PrevxHelp moderator is admittedly not part of the Prevx Support team. I'm not sure how they're related.
 
Route44 ? I need you again.
Much time has passed. I have graduated from Prevx to (its successor) Webroot Secure Anywhere (WSA) which functions similarly. I also still run Norton360 alongside it. Norton360 doesn't agree but WSA says it works alongside any other security software.

Well, my comp is blue-screening again. I used driver verifier to enable the pool tracking option which was supposed to identify what driver is causing the problem but it doesn't spell it out. The second blue screen said a driver in my kernel stack is trying to corrupt my computer. BlueScreenView points to (surprise) ntkrnlpa.exe caused By Address : ntkrnlpa.exe+cdabf
File Description : NT Kernel & System.
==================================================
Dump File : Mini120512-01.dmp
Crash Time : 12/5/2012 5:52:46 AM
Bug Check String : PROCESS_HAS_LOCKED_PAGES
Bug Check Code : 0x00000076
Parameter 1 : 0x00000000
Parameter 2 : 0x89072020
Parameter 3 : 0x00000001
Parameter 4 : 0x00000000
Caused By Driver : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+cdabf
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6002.18686 (vistasp2_gdr.120824-0336)
Processor : 32-bit
Computer Name :
Full Path : C:\Windows\Minidump\Mini120512-01.dmp
Processors Count : 4
Major Version : 15
Minor Version : 6002
Dump File Size : 146,096
==================================================

The second blue screen (after using driver verifier with pool tracking) was slightly more specific but identified the exact same cause. From my experience with "Caused By Driver : ntkrnlpa.exe", and your minidump reads, I don't put any faith in BSV to pick the exact problem driver.

==================================================
Dump File : Mini120512-02.dmp
Crash Time : 12/5/2012 8:56:58 PM
Bug Check String : DRIVER_VERIFIER_DETECTED_VIOLATION
Bug Check Code : 0x000000c4
Parameter 1 : 0x00000062
Parameter 2 : 0x914a35f8
Parameter 3 : 0x914a35a0
Parameter 4 : 0x00000002
Caused By Driver : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+cdabf
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6002.18686 (vistasp2_gdr.120824-0336)
Processor : 32-bit
Computer Name :
Full Path : C:\Windows\Minidump\Mini120512-02.dmp
Processors Count : 4
Major Version : 15
Minor Version : 6002
Dump File Size : 146,096
==================================================

Route44 would you be so kind as to take a look at the 2 attached minidumps and identify the problem in each (or both)?
Much appreciation in advance - thank you!

Cheers
 

Attachments

  • davidb.zip
    1.3 KB · Views: 0
Question: Is WSA in real time protection?

Also, want you to know that I am heading for bed. It is almost 1 a.m. here and I need to be up early. So if I don't answer back right away you'll know why. :)
 
Hello Route44,
On your own time of course - we are in the same time zone. Glad to know you are still very connected to supporting others!
- short answer - yes -
- long answer - I have pasted below a recent response from Webroot regarding running WSA alongside other products. I have also attached jpegs of my WSA "Overview" and "PC Security - Shields" screenshots. I have been running these alongside for almost a year with no blue screens - but Norton360 was upgraded recently from ver 5 to ver 6. There have been little to no reports of Norton360/WSA combination users reporting difficulties. My son's computer (on same home network and similar config) has also been blue-screening lately. I suspect coincidence, or some common software running on both is glitching. I have run multiple scans with different products and no viruses or spyware has been identified. Norton360/WSA/WinDefender/Firewall and all behind a router. I also use Secunia PSI to ensure all my programs are up to date. I did have a Windows warning about my video driver (hardware is an old OEM version of an ATI Radeon HD 3400 series PCIe taken out of a Dell machine - yes I need a newer video card). I have just updated that driver with a new package from AMD (ATI), but the minidumps are from just before that. Here's the WSA tech response and jpegs:

Although security software companies have, traditionally, advised against running multiple antivirus programs on the same computer, this rule does not hold true for Webroot SecureAnywhere. The reason for such recommendations involved the way traditional antivirus programs run. SecureAnywhere is different.

Most antivirus software is very aggressive. When an antivirus program scans a file, it accesses that file and locks it until the scan is complete, so other programs can’t access it. If multiple real-time antivirus scanners are installed on the same system, the secondary system will attempt to scan the file the moment it is accessed by the first scan. Now, both programs are competing to scan the file. Depending on the aggressiveness of each program, one may detect the conflict as an “attack” and attempt to block the offending process. Now, the two antivirus programs are not only competing for the same file, but are actively working against one another. This causes a strong struggle for resources on your computer that can drastically impact system performance, and can leave your system more vulnerable to malware attacks.

Antispyware software, on the other hand, is non-aggressive toward antivirus software. While it may try to lock files being actively scanned, it will not compete with an antivirus program when the latter attempts to block or take control of a file. This is why antispyware applications can run alongside most antivirus protection without issue.

As mentioned above, Webroot SecureAnywhere works differently from other virus protection. SecureAnywhere does not rely on the customary system of definition sets to make determinations. Instead, this new program examines file behavior and system interaction closely to determine if files are malicious or not. Only files that present risk are examined.

Using the same advanced behavioral detection that determines which files are malicious, SecureAnywhere is able to recognize other virus protection software on your computer as one of “the good guys.” This means SecureAnywhere won’t block with on-access scanning or try to break through legitimate lockouts. In this way, potential software conflicts, and the resulting system slowness and vulnerability, can be avoided. You can run SecureAnywhere alongside another antivirus program safely.

The two WSA Installer services you can see listed under your Start up are an intended process. They are designed as a fail safe to ensure all users are protected by Webroot and to avoid infections being able to shut down Webroot SecureAnywhere.​
Thanks for being there - you are a Saint. Anxious but patiently awaiting your analysis...
 

Attachments

  • WSA1.JPG
    WSA1.JPG
    92.6 KB · Views: 1
  • WSA2.JPG
    WSA2.JPG
    86.9 KB · Views: 1
Well you and your son's experience sound almost the same as my son's and I experience from a few years ago. At the time I built a brand new system and was getting Blue Screens almost from the get-go. Strange thing was so was my son's computer and his computer was my old one that never Blue Screened before. Long story short it was the Sunbelt Firewall and a specific driver that was causing the issue and that was the only thing the systems had in common. Once it was removed stability returned to both systems.

I strongly suspect that the upgraded Norton and WAS are conflicting. Uninstall WAS from one or both systems and tell me what you get.

Also, Webroot may be an anti-spyware but Norton 360 also carries an anti-spyware. The rule still applies: If run in real security security software drivers will most often conflict causing Blue Screens. A WAS upgrade may correct the issue.
 
Hi Route44,

Thanks again. I really would like to know what the minidumps are pointing to before I start uninstalling on at least one of the systems (mine).
I did upgrade the video driver and I haven't seen it BSOD today... yet. All software is up-to-date. Also uninstalling either of these products is slightly more complicated than most, because of the cloud features like back-up and sync that are designed to be installed once.

My son's on the other hand is simply getting worse, sometimes not even starting in safe mode and displaying blue screens titled "Bad pool header" and "Memory management". It is also giving blue screens identical to the title of this thread. I have already completely uninstalled Prevx and Webroot but the errors continue. I'll be running diags on it tonite. I'll also post 2 or 3 of its last minidumps.

Are the minidumps not the key to the solution?
Unfortunately I haven't figured out how to read them. I look forward to knowing what they reveal.
 
David,
minidumps provide clues to problems. Because of this, it takes practice and patients to analyze them accurately. It looks like you do have program conflicts. "Bad pool header and memory management" are related to memory issues but driver issues and program conflicts can falsely reflect these. Remove Norton and install free Microsoft Security Essentials. Do not re-install Webroot, but go ahead and re-install Previx... Install and run this temp file cleaner:
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
Run it often
 
Route44 and TMagic
Thanks for the advice. I guess analyzing a minidump is time-consuming and difficult, as I'm not getting any answers on what the Error Code and the Probable Cause were from the two I uploaded as davidb.zip in post #18.
To not confuse the two computers I've mentioned, my own system provided the uploaded minidumps in post #18. It has not crashed since I upgraded the video driver Thursday, as I mentioned in post #22. Did the minidumps point to video?.
My son's system has been blue-screening badly. I just finished running multiple diagnostics, Memtest+, HP Diagnostics (came with HP computer) and WDC DOS-harddisk diagnostic. All hardware reports 100%. So it must be software.
I do want to upload some minidumps from his, but I won't bother if you're all too busy to analyze them. I'm not keen on just changing out my main security product (Norton360) unless it's proved to be contributing to the problem. Let me know please.
 
Windows 7 and even Windows 8 have a decent firewall and Windows Defender built-in. I won't mention Windows Vista! Norton, and McAfee interfere with the Windows firewall in some cases. I learned a long time ago to remove and stay away from these, like the Plague, in my repair business. Mind you, these computers all have serious software/hardware issues like yours. Windows Security Essentials is free. It doesn't interfere with Windows as you can imagine. Feel free to post any new minidumps. I have had a lot of practice reading and interpreting them. Once a Norton "protected" computer has troubles, the first thing you should do is REMOVE Norton for troubleshooting purposes
 
Back