Tech Support Forum - View Single Post - BSOD Vista SP1 - Bugchecks 0xfe 0x9f

You are viewing a conversation about BSOD Vista SP1 - Bugchecks 0xfe 0x9f. To view the entire conversation, or to join in, click here: Thread: BSOD Vista SP1 - Bugchecks 0xfe 0x9f

View Single Post
Old 10-17-2008, 12:23 AM  
jcgriff2
Administrator
Manager, Microsoft Support
Acting Manager, Security
BSOD Kernel Dump Expert
Microsoft Windows Insider MVP
 
jcgriff2's Avatar

Microsoft Most Valuable Professional
 
Join Date: Sep 2007
Location: New Jersey Shore
Posts: 34,338
OS: Windows 10, 8.1 + Windbg :)



Hi. . .

The four full physical memory dumps totalling 11.8gb that I received were (renamed to include date and time of crash):
Code:
07/16/2008  08:52     2,144,586,207 ymhuang_physical_RAM_07-15-08_T055257.dmp

10/06/2008  12:20     3,216,898,113 ymhuang_physical_RAM_09-25-08_T011809.dmp

10/06/2008  14:09     3,218,970,650 ymhuang_physical_RAM_09-25-08_T151823.dmp

10/06/2008  15:33     3,218,981,939 ymhuang_physical_RAM_09-27-08_T130903.dmp

               4 File(s) 11,799,436,909 bytes
Interesting to note the size of the July 16th dump - 1.1gb smaller than the other 3. I do see you have 4gb RAM installed on this Vista x64 system.

There were 3 0xfe bugchecks and 1 0x9f. The 0x9f names NT as the probable cause; 2 of the 0xfe bugchecks list bthport.sys - all 3 are MS modules.

The 4th one (the 1st 0xfe listed in the summary below) lists usbfilter.sys as the probable cause and can easily be found on the stack text. This apparently a module belonging to AMD. I show a timestamp in the dump's loaded module listing as Wed May 28 18:54:13 2008; the compiled date in the driver query report shows it as 5/28/2008 3:54:15 PM = within reason of the other.

You are absolutely correct in your threads here at at MSDN that 0x9f w/ A1= 0x4 is a new one. Maybe it is the case that Vista SP2 or Windows 7 will release the meaning of this unknown argument. I have no information on it myself as of yet. I have combed through MSDN and TechNet (Mark Russinovich) looking, but have come up empty.

Have you checked the AMD site for any recent updates to the usbfilter.sys driver? Have you considered a roll-back? HERE is the AMD site for driver downloads.


I did find 2 resource locks:
Code:
0: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks..

Resource @ nt!IopDeviceTreeLock (0x81b4e660)    Shared 1 owning threads
    Contention Count = 9
     Threads: 8458e020-01<*> 
KD: Scanning for held locks.

Resource @ nt!PiEngineLock (0x81b4e5e0)    Exclusively owned
    Contention Count = 39
     Threads: 8458e020-01<*> 
KD: Scanning for held locks...

Resource @ 0x855c28b4    Shared 1 owning threads
    Contention Count = 48
     Threads: 87488020-01<*> 
KD: Scanning for held locks..........

Resource @ 0x869b0a00    Shared 1 owning threads
    Contention Count = 14
     Threads: 852b3898-01<*> 
KD: Scanning for held locks...........

Resource @ 0x87344e40    Shared 1 owning threads
     Threads: 87418030-01<*> 
KD: Scanning for held locks.........................................................................................................................................................................................................................................................................................................................................................................................................

Resource @ 0x84cb7aa8    Shared 1 owning threads
     Threads: 855c54db-01<*> *** Actual Thread 855c54d8
KD: Scanning for held locks.........................................................................

Resource @ 0xa705aacc    Exclusively owned
     Threads: 87488020-01<*> 
15672 total locks, 7 locks currently held

Looking further at the 2 locks w/ exclusively owned resources @ 0xa705aacc and 0x81b4e5e0:
Code:
0: kd> !locks -v 0xa705aacc

Resource @ 0xa705aacc    Exclusively owned
     Threads: 87488020-01<*> 

     THREAD 87488020  Cid 0004.0bd8  Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
         a705a1f8  NotificationEvent
     Not impersonating
     DeviceMap                 8b4067e0
     Owning Process            0       Image:         <Unknown>
     Attached Process          84544910       Image:         System
     Wait Start TickCount      840446         Ticks: 8451 (0:00:02:11.836)
     Context Switch Count      7447  NoStackSwap
     UserTime                  00:00:00.000
     KernelTime                00:00:02.496
     Win32 Start Address nt!ExpWorkerThread (0x81a52320)
     Stack Init a705b000 Current a7059f68 Base a705b000 Limit a7058000 Call 0
     Priority 16 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
     ChildEBP RetAddr  
     a7059f80 81ad13bf nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
     a7059fc4 81a6ecf8 nt!KiSwapThread+0x44f
     a705a018 8ac1c598 nt!KeWaitForSingleObject+0x492
     a705a038 8ac1b668 Ntfs!NtfsWaitOnIo+0x1c (FPO: [Non-Fpo])
     a705a15c 8ac182f7 Ntfs!NtfsNonCachedIo+0x404 (FPO: [Non-Fpo])
     a705a1c4 8ac1e509 Ntfs!NtfsNonCachedUsaWrite+0x145 (FPO: [Non-Fpo])
     a705a2f0 8ac1c914 Ntfs!NtfsCommonWrite+0x1b37 (FPO: [Non-Fpo])
     a705a48c 81ad6053 Ntfs!NtfsFsdWrite+0x2dc (FPO: [Non-Fpo])
     a705a4a4 8a56dba7 nt!IofCallDriver+0x63
     a705a4c8 8a56dd64 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x251 (FPO: [Non-Fpo])
     a705a500 81ad6053 fltmgr!FltpDispatch+0xc2 (FPO: [Non-Fpo])
     a705a518 81a5a9ce nt!IofCallDriver+0x63
     a705a52c 81a9a1b6 nt!IoSynchronousPageWrite+0x10b
     a705a65c 81a992d7 nt!MiFlushSectionInternal+0x97f
     a705a6bc 81a59ae7 nt!MmFlushSection+0xd5
     a705a750 8ac17427 nt!CcFlushCache+0x239
     a705a824 8ac92ae4 Ntfs!LfsFlushLfcb+0x479 (FPO: [Non-Fpo])
     a705a87c 8ac90e65 Ntfs!LfsFlushToLsnPriv+0x1ad (FPO: [Non-Fpo])
     a705a8c4 8ac91048 Ntfs!LfsWriteLfsRestart+0x15a (FPO: [Non-Fpo])
     a705a908 8ac93e35 Ntfs!LfsWriteRestartArea+0x118 (FPO: [Non-Fpo])
     a705ab2c 8ac94cff Ntfs!NtfsCheckpointVolume+0x132c (FPO: [Non-Fpo])
     a705ab80 8ac9482b Ntfs!NtfsCheckpointAllVolumesWorker+0x3b (FPO: [Non-Fpo])
     a705abe0 8ac94c0a Ntfs!NtfsForEachVcb+0xe6 (FPO: [Non-Fpo])
     a705ad44 81a5241d Ntfs!NtfsCheckpointAllVolumes+0xab (FPO: [Non-Fpo])
     a705ad7c 81befb18 nt!ExpWorkerThread+0xfd
     a705adc0 81a48a3e nt!PspSystemThreadStartup+0x9d
     00000000 00000000 nt!KiThreadStartup+0x16
Code:
0: kd> !locks -v 0x81b4e5e0

Resource @ nt!PiEngineLock (0x81b4e5e0)    Exclusively owned
    Contention Count = 39
     Threads: 8458e020-01<*> 

     THREAD 8458e020  Cid 0004.0038  Teb: 00000000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
         8b75fa18  SynchronizationEvent
         8b75f9f0  Semaphore Limit 0x2e
     Not impersonating
     DeviceMap                 8b4067e0
     Owning Process            0       Image:         <Unknown>
     Attached Process          84544910       Image:         System
     Wait Start TickCount      840759         Ticks: 8138 (0:00:02:06.953)
     Context Switch Count      44955  NoStackSwap
     UserTime                  00:00:00.000
     KernelTime                00:00:10.935
     Win32 Start Address nt!ExpWorkerThread (0x81a52320)
     Stack Init 8b760000 Current 8b75f908 Base 8b760000 Limit 8b75d000 Call 0
     Priority 13 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5
     ChildEBP RetAddr  
     8b75f920 81ad13bf nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
     8b75f964 81ace3cf nt!KiSwapThread+0x44f
     8b75f9b8 81cf2e99 nt!KeWaitForMultipleObjects+0x53d
     8b75fa44 81cf2bc4 nt!PopSleepDeviceList+0x95
     8b75faa4 81cf2963 nt!PoBroadcastSystemState+0x251
     8b75fad8 81cf3aa1 nt!PopSetDevicesSystemState+0x7b
     8b75fbfc 81a71a7a nt!NtSetSystemPowerState+0x4b4
     8b75fbfc 81a70961 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 8b75fc10)
     8b75fc80 81caa8c3 nt!ZwSetSystemPowerState+0x11 (FPO: [3,0,0])
     8b75fccc 81caa256 nt!PopIssueActionRequest+0x352
     8b75fd08 81a4d01c nt!PopPolicyWorkerAction+0x45
     8b75fd44 81a5241d nt!PopPolicyWorkerThread+0x6e
     8b75fd7c 81befb18 nt!ExpWorkerThread+0xfd
     8b75fdc0 81a48a3e nt!PspSystemThreadStartup+0x9d
     00000000 00000000 nt!KiThreadStartup+0x16

.

The 2nd one above shows a trap frame, but 0x0 error code, so not much here, I don't believe:
Code:
1 total locks, 1 locks currently held
0: kd> .trap 8b75fc10
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000002 edi=00000009
eip=81a70961 esp=8b75fc84 ebp=8b75fccc iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0047  es=0000  fs=0030  gs=0000             efl=00000246
nt!ZwSetSystemPowerState+0x11:
81a70961 c20c00          ret     0Ch
.

This is about all that I have for you right now. I will continue to look at these 4 dumps as time permits. I would look at that AMD driver. To note, none of these dumps were Vista Verifier Enabled dumps - one reason that I believe that Microsoft modules were named in 3 of them.

One thought - do you use Bluetooth at all? If not disable it. I have done so in my systems - not b/c of BSODs, but because BT would hang on occasion.

I would also suggest changing your system crash settings back to full kernel dumps, as it will cause BSODs to write a kernel dump to %windir%\memory.dmp and also produce a mini kernel dump %windir%\minidump - but run the driver verifier. I see some old drivers in your system dating back to 2005 and will compile a sorted list of them for you in ascending chronological order. Maybe the answer is in there. But w/o the verifier enabled, there is not much chance of figuring out what driver is the real culprit when you have MS modules like bthport and NT named as probable causes in BSODs - even with full physical memory dumps at my disposal.

Comments, suggestions and criticism is welcome from anyone who wishes to do so... in fact it is encouraged - PLEASE!

The dump logs are attached to this post.

Finally, I wanted to thank you for all of your efforts to get these massive RAM dumps to me. The did take over a day total to download, but the un-zipping was rather easy. It has been a real treat on this end to work with such dump files - a rarity for me.

Regards. . .

jcgriff2

.



Bugcheck Summary
Code:
BugCheck FE, {8, 6, 6, fffffa8005b20000}
Probably caused by : usbfilter.sys ( usbfilter+1214 )
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
BugCheck FE, {8, 6, 5, 874532f0}
Probably caused by : bthport.sys ( bthport!BthHandlePower+525 )
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
BugCheck FE, {8, 6, 5, 86eb22f0}
Probably caused by : bthport.sys ( bthport!BthHandlePower+525 )
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
BugCheck 9F, {4, 258, 0, 0}
Probably caused by : ntkrpamp.exe ( nt!PopBuildDeviceNotifyListWatchdog+27 )
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
.
Built by: 6001.18063.amd64fre.vistasp1_gdr.080425-1930
Debug session time: Sat Sep 27 13:09:03.476 2008 (GMT-4)
System Uptime: 0 days 1:03:53.482
BugCheck FE, {8, 6, 6, fffffa8005b20000}
*** ERROR: Module load completed but symbols could not be loaded for usbfilter.sys
Probably caused by : usbfilter.sys ( usbfilter+1214 )
PROCESS_NAME:  System
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Built by: 6001.18063.x86fre.vistasp1_gdr.080425-1930
Debug session time: Thu Sep 25 15:18:23.744 2008 (GMT-4)
System Uptime: 0 days 0:12:27.758
BugCheck FE, {8, 6, 5, 874532f0}
Probably caused by : bthport.sys ( bthport!BthHandlePower+525 )
PROCESS_NAME:  System
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Built by: 6001.18063.x86fre.vistasp1_gdr.080425-1930
Debug session time: Thu Sep 25 01:18:09.476 2008 (GMT-4)
System Uptime: 0 days 3:40:42.890
BugCheck FE, {8, 6, 5, 86eb22f0}
Probably caused by : bthport.sys ( bthport!BthHandlePower+525 )
PROCESS_NAME:  System
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Built by: 6001.18000.x86fre.longhorn_rtm.080118-1840
Debug session time: Tue Jul 15 05:52:57.479 2008 (GMT-4)
System Uptime: 0 days 0:14:34.477
BugCheck 9F, {4, 258, 0, 0}
Probably caused by : ntkrpamp.exe ( nt!PopBuildDeviceNotifyListWatchdog+27 )
PROCESS_NAME:  System
jcgriff2 is offline