dient1t,
just to make sure I understand. did you install Avast after removing McAfee antivirus ? or were those two was there in the first place ?
If avest was the replacment for the McAfee antivirus I will suspect you have a third party software that was not McAfee Antivirus but one that conflict with the two antiviruses. Let me explain deeper You may not understand what I am trying to say but will provide a direction:
On most of your minidump, you machine crashes on a specific operation (opcode). here is the repeative pattren :
a773abe4 805823eb e2829b60 d984ed78 a773acb0 nt!KeInitThread+0xa5
a773ac58 80582380 e109d378 a773acb0 00000004 nt!CmSetValueKey+0xd0
a773acec aa3e7a1b 000008a4 01a1ed90 00000000 nt!NtSetValueKey+0x228
NtSetValueKey is a windows function that set a value in the registry. Antiviruses software are Hooking this function to be able to monitor any key that been writen to the registry. most of the antiviruses and other products may required protection over there own files and registry keys so they will protect those keys ( you will not be able to change them). This is the way it is done. Hooking this function will help them to see if the product keys have changed, and if they are it is possible to fail this function and protect the key.
Hooking is something that windows does not support and to do that developers needs to do some nasty tricks. One of the most common problems are what will happen when two different products will try to hook the same function. I suspect this is your issue here. While avest does hooking the NtSetValueKey, it seems somthing else do it as well but in the bad way. that is the reason it failed.
Here is how the hooking looks like :
Code:
a773abe4 805823eb e2829b60 d984ed78 a773acb0 nt!KeInitThread+0xa5
a773ac58 80582380 e109d378 a773acb0 00000004 nt!CmSetValueKey+0xd0
a773acec aa3e7a1b 000008a4 01a1ed90 00000000 nt!NtSetValueKey+0x228
WARNING: Stack unwind information not available. Following frames may be wrong.
a773ad44 804dd99f 000008a4 01a1ed90 00000000 aswSP+0x8a1b
a773ad44 7c90e514 000008a4 01a1ed90 00000000 nt!KiFastCallEntry+0xfc
KiFastCallEntry responsible for directing an application call to the kernel function using the service table. While calling NtSetValueKey, we can see that it first reach aswSP.sys. This shows the hook. aswSP.sys is then forwarding the call to ntSetValueKey. this is the part which resolve the hook. My question is how CmSetValueKey called KeInitThread which does not make any sense at all. And here we goes deeper :
I have looked at the minidump stack and disassemble the CmSetValueKey and the real function that should have been called is :CmpFindNameInList. Looking at the internal stack I do see a call to this function but somthing gets courrpted.
Here is the CmSetValueKey disassemble, I have looked at the return address from the KeInitThread to see were the call to KeInitThread was done and here is what I saw :
Code:
kd> u 805823eb-5
** u = unassemble, -5 because we are on the return address. -5 will help us to get to the calling address and not the return address.
nt!CmSetValueKey+0xcb:
805823e6 e85a030000 call nt!CmpFindNameInList (80582745)
805823eb 84c0 test al,al
As you can see CmpFindNameinList is here. Now I'll look at the stack trace from KeInitThread :
Code:
kd> dps a773abe4-50
a773ab94 a773abe4
a773ab98 a773ac48
a773ab9c 00000030
a773aba0 00000000
a773aba4 e2829b60
a773aba8 0008dd50
a773abac a773abe4
a773abb0 00000002
a773abb4 805755ad nt!KeInitThread+0xa5
a773abb8 00000008
a773abbc 00010202
a773abc0 8058276b nt!CmpFindNameInList+0x26
a773abc4 e2829b60
a773abc8 0008fc50
a773abcc d984ed54
a773abd0 e109d378
a773abd4 0008dd50
a773abd8 a773aba8
a773abdc 00000001
a773abe0 ffffffff
a773abe4 a773ac58
a773abe8 805823eb nt!CmSetValueKey+0xd0
a773abec e2829b60
a773abf0 d984ed78
a773abf4 a773acb0
a773abf8 a773ac2c
a773abfc a773ac30
a773ac00 e2d5f6b8
a773ac04 00000000
a773ac08 00000004
a773ac0c e109d378
a773ac10 8057302f nt!CmQueryValueKey+0x10d
kd> dps
a773ac14 01a1ecd8
a773ac18 00000000
a773ac1c 00000000
a773ac20 ffffffff
a773ac24 0008dd50
a773ac28 fc82d590
a773ac2c e1a63fb8
a773ac30 00000001
a773ac34 e2829b60
a773ac38 0017cc90
a773ac3c 0073ac60
a773ac40 a773ac00
a773ac44 fc82d590
a773ac48 a773acdc
a773ac4c 804e2ed8 nt!_except_handler3
a773ac50 804f4208 nt!`string'+0x190
a773ac54 ffffffff
a773ac58 a773acec
a773ac5c 80582380 nt!NtSetValueKey+0x228
What we do see is that the function call is nt!CmpFindNameInList+0x26 and it means that the real crash was caused here . 0x26 bytes into CmpFindNameinList lets disassemble it :
Code:
kd> u nt!CmpFindNameInList
nt!CmpFindNameInList:
80582745 8bff mov edi,edi
80582747 55 push ebp
80582748 8bec mov ebp,esp
8058274a 83ec0c sub esp,0Ch
8058274d 8b450c mov eax,dword ptr [ebp+0Ch]
80582750 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
80582754 53 push ebx
80582755 56 push esi
kd> u
nt!CmpFindNameInList+0x11:
80582756 57 push edi
80582757 33ff xor edi,edi
80582759 3938 cmp dword ptr [eax],edi
8058275b 0f8484a80300 je nt!CmpFindNameInList+0xfb (805bcfe5)
80582761 ff7004 push dword ptr [eax+4]
80582764 8b7508 mov esi,dword ptr [ebp+8]
80582767 56 push esi
80582768 ff5604 call dword ptr [esi+4] <---
8058276b 8bd8 mov ebx,eax
0x6b-0x45 = 0x26 the return adress is 8058276b. The calling address is 80582768 which we can refer as a call dword ptr [esi+4].
This is a dynamic call and may result the crash. This is very common compiled call but with a minidump I just cant resolve it. I need to uderstand where [esi+4] addres to. I assume that knowing that will probably show us the faulty driver. To continue with the next step I will have to get a kernel dump.
Here is how to generate a kernel dump :
Go to control panel -> System -> Choose Advanced tab.
Under "Startup and Recovery" press the Settings button.
Under System failure -> Write debugging Information -> Choose Kernel Dump.
You should notice the directory it choose to dump the file. By default it should be dumped at \Windows\memory.dmp file.
When you finish setting up the kernel dump, just wait for next BSOD. this time it will take much longer to create the dump. When the dump will be created, log in back to your machine. Zip the memory.dmp file and just send it over somehow. The dump is larger and may be the side of 100-200MB uncompressed.
EZ