adu123,
I have looked at your minidumps. I will suggest that you to remove win-defender and verify if its fixing your problem. if this will not fix your problem , it may be a virus/torjan that installed a rootkit on your system or other security software.
for more tech pepole that want to know what I have seen. here is a more detailed anaylsis :
looking at the minidumps , I have noticed a pattren, the pattren is that every dump is somehow related to accessing the processes list and looking at the process data structure.
here is one of the call stacks from the a dump :
bae0ca74 804fee8d babe27e0 00000e50 ff87f700 nt!ExpCopyThreadInfo+0xd
bae0cb04 80583b47 0010c008 00008000 bae0cd30 nt!ExpGetProcessInformation+0x153
bae0cd4c 804de7ec 00000005 0010c008 00008000 nt!NtQuerySystemInformation+0x728
bae0cd4c 7c90eb94 00000005 0010c008 00008000 nt!KiFastCallEntry+0xf8
as you can see , NtQuerySysteminformation is called. this is a native kernel function that basicly provide a user application with system information. by looking at the parameters passing to this function you can see : 804de7ec 00000005 0010c008 00008000 .
the first parameter is always the return address from this function, second parameter is the first parameter of the NtQuerySystemInformation. looking at the MSDN , i found that the 5 related to query the process list. it does make sense because the next function : ExpGetProcessInformation.
ExpGetProcessInformation is kind of a sub-function of NtQuerySystemInformation that provides the processes information. (or a specific process information).
The next operation is nt!ExpCopyThreadInfo. the ExpGetprocessInformation is trying to get some of the process thread information,but this time crashes.
dumping on my PC the nt!ExpCopyThreadInfo shows :
nt!ExpCopyThreadInfo:
804fed85 8bff mov edi,edi
804fed87 55 push ebp
804fed88 8bec mov ebp,esp
804fed8a 56 push esi
804fed8b 8b7508 mov esi,dword ptr [ebp+8]
804fed8e 57 push edi
804fed8f 8b7d0c mov edi,dword ptr [ebp+0Ch]
804fed92 8b87440100 mov eax,dword ptr [edi+144h]
the crash is related to 804fed92, which shows that a parameter to the EXpCopyThreadInfo function is currpted. the register edi recieved a parameter from [ebp+0c]. now eax is trying to access a member variable of the last parameter in offset 0x144 (edi+144h). and crash.
looking at the CPU registers when the crash accords shows :
kd> r
eax=00000e50 ebx=babe2668 ecx=ff9b1c03 edx=00000000 esi=babe27e0 edi=00000e50
eip=804fed92 esp=bae0ca6c ebp=bae0ca74 iopl=0 nv up ei ng nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
nt!ExpCopyThreadInfo+0xd:
804fed92 8b8744010000 mov eax,dword ptr [edi+144h] ds:0023:00000f94=????????
edi -> e50. e50 is not a valid address , and the OS crashed. (address that small mostly means an invalid virtual address).
so somthing did happen to one of the processes data-structures before the crash. from my experience , problems like that accords while using service table hooking. both virus/rootkits/security application are doing things like that. one of the most known reason they do is to hide their product processes.
another thing to point out is that the process that tried to query the processes information in the first place is : MsMpEng.exe.
MsMpEng is part of Windows Defender. but this still doesn't say that the cause of the crash is WinDefender. but their is a big chance it does related to it.
Cheers,
EZ