Elliot B. Posted December 8, 2016 Share Posted December 8, 2016 (edited) Intel Core i7-6700K @ 4.5 GHz 16 GB DDR4-3000 NVIDIA GeForce GTX 1080 Microsoft Windows 10 x64 Any ideas where to start? Link to comment Share on other sites More sharing options...
Circaflex Posted December 8, 2016 Share Posted December 8, 2016 Analyze the bluescreen dump to determine which file/driver is tripping a BSOD. Off the top of my head, it could be antivirus, could be network drivers, could be memory failure, but you need to analyze the dump file. Follow either of these: https://msdn.microsoft.com/en-us/library/windows/hardware/ff538058(v=vs.85).aspx or http://www.tenforums.com/tutorials/5558-windbg-basics-debugging-crash-dumps-windows-10-a.html You're going to need to do a little work here to resolve it, if you really cant figure out how to use either of those you can try uploading the dump somewhere public so we an analyze it. Link to comment Share on other sites More sharing options...
Elliot B. Posted December 8, 2016 Author Share Posted December 8, 2016 (edited) 6 minutes ago, Circaflex said: Analyze the bluescreen dump to determine which file/driver is tripping a BSOD. Off the top of my head, it could be antivirus, could be network drivers, could be memory failure, but you need to analyze the dump file. Follow either of these: https://msdn.microsoft.com/en-us/library/windows/hardware/ff538058(v=vs.85).aspx or http://www.tenforums.com/tutorials/5558-windbg-basics-debugging-crash-dumps-windows-10-a.html You're going to need to do a little work here to resolve it, if you really cant figure out how to use either of those you can try uploading the dump somewhere public so we an analyze it. Does this help? I also have the 559 KB DMP file but I'm not sure where's best to upload it to. Link to comment Share on other sites More sharing options...
Circaflex Posted December 8, 2016 Share Posted December 8, 2016 Helpful, yes, but not enough information is provided. You'll have to use a program that can analyze the dump and generate a report that will pinpoint the driver causing it. However, my bet is on a network driver (lan or wifi) and I would visit the motherboards website and download the ones they have available, uninstall the currently installed drivers and install those. However, I have seen Internet Security Suites and Anti-Virus trigger this as well. You can use mega or onedrive to upload the file, just make sure the dmp comes from %SystemRoot%\Minidump. The tenforums link has a picture guide that I find fairly simple to understand. Give that a shot. Link to comment Share on other sites More sharing options...
Elliot B. Posted December 9, 2016 Author Share Posted December 9, 2016 5 minutes ago, Circaflex said: Helpful, yes, but not enough information is provided. You'll have to use a program that can analyze the dump and generate a report that will pinpoint the driver causing it. However, my bet is on a network driver (lan or wifi) and I would visit the motherboards website and download the ones they have available, uninstall the currently installed drivers and install those. However, I have seen Internet Security Suites and Anti-Virus trigger this as well. You can use mega or onedrive to upload the file, just make sure the dmp comes from %SystemRoot%\Minidump. The tenforums link has a picture guide that I find fairly simple to understand. Give that a shot. https://mega.nz/#!hFtxiYbJ!GvTMyml7KlHa4HeJudZxgGh0ep4KQ0ECDkjC9-7e58A Link to comment Share on other sites More sharing options...
Circaflex Posted December 9, 2016 Share Posted December 9, 2016 34 minutes ago, Elliot B. said: https://mega.nz/#!hFtxiYbJ!GvTMyml7KlHa4HeJudZxgGh0ep4KQ0ECDkjC9-7e58A Unfortunately, as often happens, there was no more specific information in the minidump. The code generated is Stop 0x3b with a tcpip.sys crash. Looking at the dmp, you need to either update your network drivers or roll back to whatever version did not cause your BSOD if there are not newer ones. What antivirus do you use? I stopped following insider builds, but are you on the newest build that was released just a day or two ago? In the future, I would tag your post as Windows 10 14965 rather than Windows 10. You are using pre-release software, this will help with troubleshooting. Kernel base = 0xfffff801`c020c000 PsLoadedModuleList = 0xfffff801`c0511630 Debug session time: Thu Dec 8 18:37:12.421 2016 (UTC - 5:00) System Uptime: 0 days 0:03:11.153 ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff80e0d2d2553, Address of the instruction which caused the bugcheck Arg3: ffff8100fcc92940, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero. Debugging Details: ------------------ ***** Kernel symbols are WRONG. Please fix symbols to do analysis. ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2 ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ADDITIONAL_DEBUG_TEXT: Use '!findthebuild' command to search for the target build information. If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. MODULE_NAME: tcpip FAULTING_MODULE: fffff801c020c000 nt DEBUG_FLR_IMAGE_TIMESTAMP: 581d54da EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". FAULTING_IP: tcpip+142553 fffff80e`0d2d2553 488b81cd010000 mov rax,qword ptr [rcx+1CDh] CONTEXT: ffff8100fcc92940 -- (.cxr 0xffff8100fcc92940) rax=ffff97092a8ca010 rbx=ffff97091de7d800 rcx=0000000000000000 rdx=0000000000000000 rsi=ffff970923fd5010 rdi=ffff97091dd5ec88 rip=fffff80e0d2d2553 rsp=ffff8100fcc93340 rbp=ffff8100fcc93440 r8=0000000000000000 r9=0000000000000000 r10=b0ce7be9665af49d r11=ffff8100fcc93310 r12=ffff97092c2f3010 r13=ffff97092ad19be0 r14=ffff97091e3fe010 r15=ffff97091dd5ea38 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010282 tcpip+0x142553: fffff80e`0d2d2553 488b81cd010000 mov rax,qword ptr [rcx+1CDh] ds:002b:00000000`000001cd=???????????????? Resetting default scope DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: 0x3B CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from 0000000000000000 to fffff80e0d2d2553 STACK_TEXT: ffff8100`fcc93340 00000000`00000000 : ffff9709`1de7d800 ffff9709`23fd5010 ffff9709`1dd5ec88 00000000`00010001 : tcpip+0x142553 FOLLOWUP_IP: tcpip+142553 fffff80e`0d2d2553 488b81cd010000 mov rax,qword ptr [rcx+1CDh] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: tcpip+142553 FOLLOWUP_NAME: MachineOwner IMAGE_NAME: tcpip.sys STACK_COMMAND: .cxr 0xffff8100fcc92940 ; kb BUCKET_ID: WRONG_SYMBOLS Followup: MachineOwner --------- Link to comment Share on other sites More sharing options...
Elliot B. Posted December 9, 2016 Author Share Posted December 9, 2016 38 minutes ago, Circaflex said: Helpful, yes, but not enough information is provided. You'll have to use a program that can analyze the dump and generate a report that will pinpoint the driver causing it. However, my bet is on a network driver (lan or wifi) and I would visit the motherboards website and download the ones they have available, uninstall the currently installed drivers and install those. However, I have seen Internet Security Suites and Anti-Virus trigger this as well. You can use mega or onedrive to upload the file, just make sure the dmp comes from %SystemRoot%\Minidump. The tenforums link has a picture guide that I find fairly simple to understand. Give that a shot. I have an MSI Z170A Gaming Pro Carbon motherboard. The latest Intel network drivers MSI offer are 12.15.22.3 (dated 24/11/2015). The latest ones available from Intel are 12.15.23.7 (dated 04/08/2016). Both cause the same issue. I've noticed things are fine until qBittorrent runs for a around one minute then it BSODs. Link to comment Share on other sites More sharing options...
Circaflex Posted December 9, 2016 Share Posted December 9, 2016 Can you try a different version of qBittorrent? Or a different client all together? What AV? Do you run AdGuard? What is the hardware id of your network adapter? Link to comment Share on other sites More sharing options...
Evelyn Harthbrooke Posted December 9, 2016 Share Posted December 9, 2016 @Elliot B.I imagine qBitTorrent is fricking around with Windows' TCP/IP drivers which is causing it to BSOD. I recommend trying a different version of qBitTorrent and see if that fixes the problem. And like @Circaflexis asking for, do you have an AV or run AdGuard? And what's the hardware ID for your network adapter? Circaflex 1 Share Link to comment Share on other sites More sharing options...
Elliot B. Posted December 9, 2016 Author Share Posted December 9, 2016 (edited) 3 minutes ago, Circaflex said: Can you try a different version of qBittorrent? Or a different client all together? What AV? Do you run AdGuard? What is the hardware id of your network adapter? 1 minute ago, Kamran Mackey said: @Elliot B.I imagine qBitTorrent is fricking around with Windows' TCP/IP drivers which is causing it to BSOD. I recommend trying a different version of qBitTorrent and see if that fixes the problem. And like @Circaflexis asking for, do you have an AV or run AdGuard? And what's the hardware ID for your network adapter? Oops, sorry. Windows Defender and Malwarebytes Premium 3.0.4. No AdGuard. VEN_8086&DEV_15B8 Evelyn Harthbrooke 1 Share Link to comment Share on other sites More sharing options...
Circaflex Posted December 9, 2016 Share Posted December 9, 2016 Yup, definitely on the newest available. I would try a different version of qBitorrent if you can, possibly even a different client just so we can isolate the issue a little bit more. Did this happen before you started using MBAM Premium 3.0? Link to comment Share on other sites More sharing options...
Elliot B. Posted December 9, 2016 Author Share Posted December 9, 2016 Just now, Circaflex said: Yup, definitely on the newest available. I would try a different version of qBitorrent if you can, possibly even a different client just so we can isolate the issue a little bit more. Did this happen before you started using MBAM Premium 3.0? Good point! No, it did not! It was since installing MBAM Premium 3.0, which was released today! Circaflex 1 Share Link to comment Share on other sites More sharing options...
Evelyn Harthbrooke Posted December 9, 2016 Share Posted December 9, 2016 Just now, Elliot B. said: Good point! No, it did not! It was since installing MBAM Premium 3.0, which was released today! Then I'd recommend reverting to a Malwarebytes 2.x release until the BSODs with Malwarebytes 3.0 are resolved. Link to comment Share on other sites More sharing options...
Circaflex Posted December 9, 2016 Share Posted December 9, 2016 Maybe there are still some things to iron out, I think at one point during the betas they offered an uninstall utility for this new version. I would uninstall MBAM 3.0 and run their utility if available (check their forums) and test for a few days. If all goes well, I would contact their support team. They are super quick to respond and last time I had a specific bug they fixed it within a day or two of me reporting it. If that all goes well, I would update to the newest insider build and try MBAM again. Evelyn Harthbrooke 1 Share Link to comment Share on other sites More sharing options...
John.D Posted December 9, 2016 Share Posted December 9, 2016 You've got suss files on your system. This is one of them MpKsl673638b5.sys If you use ethernet to get online update the drivers for it. This file I2cHkBurn.sys is also old / from 2012. Update this, dfx12x64.sys which belongs to audio divers. The drivers are old/from 2012 What version of malwarebytes anti-ransom is installed? Link to comment Share on other sites More sharing options...
Evelyn Harthbrooke Posted December 9, 2016 Share Posted December 9, 2016 1 minute ago, John.D said: You've got suss files on your system. This is one of them MpKsl673638b5.sys If you use ethernet to get online update the drivers for it. This file I2cHkBurn.sys is also old / from 2012. Update this, dfx12x64.sys which belongs to audio divers. The drivers are old/from 2012 What version of malwarebytes anti-ransom is installed? You got the name of Malwarebytes all wrong xD It's actually Malwarebytes Anti-malware. Link to comment Share on other sites More sharing options...
Elliot B. Posted December 9, 2016 Author Share Posted December 9, 2016 2 minutes ago, Circaflex said: Maybe there are still some things to iron out, I think at one point during the betas they offered an uninstall utility for this new version. I would uninstall MBAM 3.0 and run their utility if available (check their forums) and test for a few days. If all goes well, I would contact their support team. They are super quick to respond and last time I had a specific bug they fixed it within a day or two of me reporting it. If that all goes well, I would update to the newest insider build and try MBAM again. Running Malwarebyes Anti-Malwarre Cleanup Utlity now Just now, John.D said: You've got suss files on your system. This is one of them MpKsl673638b5.sys If you use ethernet to get online update the drivers for it. This file I2cHkBurn.sys is also old / from 2012. Update this, dfx12x64.sys which belongs to audio divers. The drivers are old/from 2012 What version of malwarebytes anti-ransom is installed? Driver Booster 4.1 is telling me all my drivers are as up-to-date as they can be, and I trust this software. Link to comment Share on other sites More sharing options...
Circaflex Posted December 9, 2016 Share Posted December 9, 2016 1 minute ago, John.D said: This file I2cHkBurn.sys is also old / from 2012. I am pretty sure that file comes from the MSI Gaming App. Link to comment Share on other sites More sharing options...
Elliot B. Posted December 9, 2016 Author Share Posted December 9, 2016 Just now, Circaflex said: I am pretty sure that file comes from the MSI Gaming App. It does Link to comment Share on other sites More sharing options...
Circaflex Posted December 9, 2016 Share Posted December 9, 2016 Just now, Elliot B. said: Driver Booster 4.1 is telling me all my drivers are as up-to-date as they can be, and I trust this software. My advice would be to ditch that program. Too many times have I seen these "driver updater" programs cause all sorts of weird issues. Just continually check your motherboards website for new drivers. Realistically, the only drivers that require updates are graphics for bug fixes and optimizations. Most of your other drivers are fine using the OEM supplied until they provide updates, unless of course you experience BSOD's with their drivers. Just my 2 cents. Anibal P 1 Share Link to comment Share on other sites More sharing options...
Evelyn Harthbrooke Posted December 9, 2016 Share Posted December 9, 2016 (edited) 4 minutes ago, Elliot B. said: Running Malwarebyes Anti-Malwarre Cleanup Utlity now Driver Booster 4.1 is telling me all my drivers are as up-to-date as they can be, and I trust this software. Kind of a bad idea to use Driver Booster IMHO. I'd recommend seeing if there are drivers available straight from Intel's website and any other places you might have outdated drivers. 2 minutes ago, Circaflex said: My advice would be to ditch that program. Too many times have I seen these "driver updater" programs cause all sorts of weird issues. Just continually check your motherboards website for new drivers. Realistically, the only drivers that require updates are graphics for bug fixes and optimizations. Most of your other drivers are fine using the OEM supplied until they provide updates, unless of course you experience BSOD's with their drivers. Just my 2 cents. I agree with everything you said, other than the "only graphics drivers require updates" part. It's a good idea to update anything on your system if newer drivers are available, as all new drivers normally introduce bug fixes/improvements. Circaflex 1 Share Link to comment Share on other sites More sharing options...
Elliot B. Posted December 9, 2016 Author Share Posted December 9, 2016 1 minute ago, Circaflex said: My advice would be to ditch that program. Too many times have I seen these "driver updater" programs cause all sorts of weird issues. Just continually check your motherboards website for new drivers. Realistically, the only drivers that require updates are graphics for bug fixes and optimizations. Most of your other drivers are fine using the OEM supplied until they provide updates, unless of course you experience BSOD's with their drivers. Just my 2 cents. Manufacturer rmotherboard drivers are always way, way out of date Link to comment Share on other sites More sharing options...
Circaflex Posted December 9, 2016 Share Posted December 9, 2016 Also, just an FYI to anyone, Intel now provides a utility that will scan your computer and let you know if there are any updates available. Works on 99% of computers from my experience. Evelyn Harthbrooke and Jim K 2 Share Link to comment Share on other sites More sharing options...
Evelyn Harthbrooke Posted December 9, 2016 Share Posted December 9, 2016 Just now, Circaflex said: Also, just an FYI to anyone, Intel now provides a utility that will scan your computer and let you know if there are any updates available. Works on 99% of computers from my experience. They've provided this utility for quite a while, just with a Java version previously. They probably ditched that version by now however. Link to comment Share on other sites More sharing options...
Circaflex Posted December 9, 2016 Share Posted December 9, 2016 1 minute ago, Elliot B. said: Manufacturer rmotherboard drivers are always way, way out of date But, they are usually tailored to their specific devices. The only ones you really need to or want to update, would be chipset and graphics. Way out of date, doesn't always mean bad. Sometimes newer drivers are found by those "driver updater" programs because they pickup other OEM drivers. Sure they might work, but they also might be tailored to that OEMs hardware. Kind of like using Intel GPU drivers on a Surface. Sure they work, but they arent optimized for the Surface like the ones from Microsoft, even if they are a few versions behind. Just now, Kamran Mackey said: They've provided this utility for quite a while, just with a Java version previously. They probably ditched that version by now however. Oh yea, I am aware. Just figured Elliot might not have known or any other users visiting the thread. Link to comment Share on other sites More sharing options...
Recommended Posts