So, I helped my girlfriend's mom pick out a new HP laptop back on Tax Free Weekend. It worked fine for me when I was setting it up/removing the crapware from it but when she got it home (Louisville, KY) she says it BSOD's every time it boots. I've got it running in Safe Mode with Networking at the moment and I have VNC setup on it so I can take a look but without seeing the BSOD, I'm having a hard time pinpointing the problem.



Here is the windows dump log analysis:


Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Tom\Desktop\Marigene's Memory Dump\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.22477.amd64fre.vistasp1_ldr.090722-0700
Machine Name:
Kernel base = 0xfffff800`01e5a000 PsLoadedModuleList = 0xfffff800`0201cdb0
Debug session time: Sun Sep 6 16:02:24.978 2009 (GMT-4)
System Uptime: 0 days 0:01:40.681
Loading Kernel Symbols
...............................................................
................................................................
................................................................
...
Loading User Symbols

Loading unloaded module list
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {ffffffffc0000005, fffff8000228a3aa, fffffa60021e77d8, fffffa60021e71b0}

Probably caused by : ntkrnlmp.exe ( nt!PnpDelayedRemoveWorker+2a )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8000228a3aa, The address that the exception occurred at
Arg3: fffffa60021e77d8, Exception Record Address
Arg4: fffffa60021e71b0, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!PnpDelayedRemoveWorker+2a
fffff800`0228a3aa 498b8238010000 mov rax,qword ptr [r10+138h]

EXCEPTION_RECORD: fffffa60021e77d8 -- (.exr 0xfffffa60021e77d8)
ExceptionAddress: fffff8000228a3aa (nt!PnpDelayedRemoveWorker+0x000000000000002a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000082000158
Attempt to read from address 0000000082000158

CONTEXT: fffffa60021e71b0 -- (.cxr 0xfffffa60021e71b0)
rax=fffffa8003cc0701 rbx=fffffa80080c5500 rcx=fffff80002052d20
rdx=fffffa8003cc0701 rsi=fffffa8006506260 rdi=0000000000000000
rip=fffff8000228a3aa rsp=fffffa60021e7a10 rbp=0000000000000001
r8=fffffa8003c1a000 r9=0000000000000373 r10=0000000082000020
r11=00000000000007ff r12=fffff80002052b20 r13=fffffa8006c45b70
r14=0000000000000000 r15=0000000000000001
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010202
nt!PnpDelayedRemoveWorker+0x2a:
fffff800`0228a3aa 498b8238010000 mov rax,qword ptr [r10+138h] ds:002b:00000000`82000158=????????????????
Resetting default scope

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 0000000082000158

READ_ADDRESS: 0000000082000158

FOLLOWUP_IP:
nt!PnpDelayedRemoveWorker+2a
fffff800`0228a3aa 498b8238010000 mov rax,qword ptr [r10+138h]

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from fffff8000228a555 to fffff8000228a3aa

STACK_TEXT:
fffffa60`021e7a10 fffff800`0228a555 : fffffa80`080c5500 fffffa80`06c45b70 fffffa80`06c45b70 00000000`00000000 : nt!PnpDelayedRemoveWorker+0x2a
fffffa60`021e7a60 fffff800`01f85c69 : 00000000`00000000 00000000`00000001 00000000`00000000 fffffa80`03cf4010 : nt!PnpChainDereferenceComplete+0x115
fffffa60`021e7aa0 fffff800`0228ed79 : 00000000`00000000 fffffa80`06506200 fffffa80`07e3c9f0 00000000`00000001 : nt!PnpIsChainDereferenced+0xc9
fffffa60`021e7b20 fffff800`0228effc : fffffa60`021e7cf8 fffffa80`07e64500 fffffa80`03cc0700 fffffa80`00000000 : nt!PnpProcessQueryRemoveAndEject+0xf99
fffffa60`021e7c70 fffff800`0218f6c7 : 00000000`00000001 fffffa80`07e64570 fffff880`0c4efc50 00000000`00000000 : nt!PnpProcessTargetDeviceEvent+0x4c
fffffa60`021e7ca0 fffff800`01eb3e4a : fffff800`020bb494 fffff880`0c4efc50 fffff800`01fe98f8 fffffa80`03cc0720 : nt! ?? ::NNGAKEGL::`string'+0x4a314
fffffa60`021e7cf0 fffff800`020cb573 : fffffa80`07e64570 00000000`00007000 fffffa80`03cc0720 00000000`00000080 : nt!ExpWorkerThread+0x11a
fffffa60`021e7d50 fffff800`01ee2ff6 : fffffa60`005ec180 fffffa80`03cc0720 fffffa60`005f5d40 00000000`00000001 : nt!PspSystemThreadStartup+0x57
fffffa60`021e7d80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16


SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!PnpDelayedRemoveWorker+2a

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4a67e1a0

STACK_COMMAND: .cxr 0xfffffa60021e71b0 ; kb

FAILURE_BUCKET_ID: X64_0x7E_nt!PnpDelayedRemoveWorker+2a

BUCKET_ID: X64_0x7E_nt!PnpDelayedRemoveWorker+2a

Followup: MachineOwner
---------



Any ideas? I'm thinking its some sort of driver incompatibility with Vista x64 but I can't figure out which one exactly.

9/7/2009 2:35:51 PM

from the name (nt!PnpDelayedRemoveWorker) i would guess something with disconnecting a removable device. Like a flash drive was removed and it caused a thread to crash or something. If nothing was removed it might be a damaged device thats disconnecting randomly.

Disconnect any external devices (including mice/keyboards/memorycards) and see if it boots ok. If it still has problems it might be with a particular device thats internal to the laptop but connected to the bus as removable (like a card reader).

9/7/2009 2:46:24 PM

I don't believe there are any external USB devices but I'll double check that. Thanks

9/7/2009 2:55:32 PM

if the laptop has built in devices like smart card readers or memory card readers you might want to uninstall them while in safemode. Its definitely some device thats screwed up since safe mode works. There used to be a way to do a startup where it prompted you to initialize each device. If you can find that you should be able to walk through each device until it blue screens.

9/7/2009 3:01:29 PM

I was just about to say the same thing. Uninstall the USB hardware and controllers and see if that fixes the problem. Shaggy is right on about the removable media.

9/8/2009 2:01:14 PM

of course if none of this works the last posibility might be bad ram. You can test ram with a memtest86 boot cd or if you have spare ram lying around by chance, swap it out.

9/8/2009 2:29:21 PM

if the laptop has 2 DIMM slots, you can just take one out and try booting the PC with one chip at a time.

9/8/2009 2:49:06 PM

Yeah, unfortunately the laptop is in Louisville so that rules out my ability to test/swap hardware. A friend put me onto this:

http://www.techsupportforum.com/microsoft-support/windows-vista-windows-7-support/408354-common-bsod-vista-x64-0x0000007e-probably-caused-ntkrnlmp-exe.html

So I'm gonna try un-installing that Windows Update and I guess the USB controllers as soon as I can get access to the computer again.

Thanks for the help so far

9/8/2009 7:52:35 PM

Im just impressed somebody in this forum actually knows how to run windbg

9/8/2009 9:03:19 PM

If this is Vista x64, there may be a good possibility an unsigned driver is trying to force its way into memory, which is a big no-no. Vista x86 doesn't block this necessarily, but Vista x64 will. (Case in point, PeerGuardian on Vista x64).

I'm not sure if you can install it in Safe mode, but ReadyDriver Plus may be helpful here.

[Edited on September 8, 2009 at 10:09 PM. Reason : .]

9/8/2009 10:09:35 PM

Quote :

"Im just impressed somebody in this forum actually knows how to run windbg"

Umm... thanks... I guess?

Anyway, I ran a Windows System Restore back to the night when I unboxed it for her and she said it is working fine now. So I'm leaning towards that Windows Update was the problem. Now I just need to get back in there and tell it not to install that update again before it BSOD's on her again.

9/10/2009 8:19:58 AM

haha. yeah, you know it's bad if you call into microsoft and one of the main options is "Are you experiencing a blue screen?" referring to a recent update that botched shit on Vista x64

9/10/2009 8:38:49 AM