Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Blue screen on new fleet laptop


  • Please log in to reply
11 replies to this topic

#1
PlanoTechs

PlanoTechs

    Newbie

  • Member
  • 12 posts
  • Joined 06-February 14
  • OS:Windows 7 x86
  • Country: Country Flag

We recently installed a new laptop (Getac V110) in one of our fleet vehicles. I have gotten reports that users are getting a blue screen anywhere between 2 and 4 times in a 12-hour shift. I got a memory dump from the machine, but I don't have the resources to personally troubleshoot it. I wondered if I could get some assistance from the experts on this forum, as y'all have been very helpful for me in the past.

 

The memory dump can be found here: https://onedrive.liv...F3BAAA41FB7!160

 

Thanks in advance for any help you can provide,

 

Justin




How to remove advertisement from MSFN

#2
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,814 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

The process that crashed was Microsoft MapPoint. What version of MapPoint is it?
The dump indicates a memory error, but I wonder if the other dumps are the same error or different ones. Even if you don't have the old memory.dmps, the bugchecks still may be preserved in Event Viewer.

It also looks to be you have a very old F-Secure encryption software installed, the driver it uses is from 2002.
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#3
Jared44

Jared44
  • Member
  • 7 posts
  • Joined 01-August 14
  • OS:Windows 7 x64
  • Country: Country Flag

I just thought I'd add a little bit.

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: c42da2e8, The pool entry we were looking for within the page.
Arg3: c42da468, The next pool entry.
Arg4: 1830000b, (reserved)

So here we can see the pool entry we were looking for within the pool page and the next pool entry that should use this current pool.

0: kd> !pool c42da2e8
Pool page c42da2e8 region is Nonpaged pool
 c42da000 size:   b8 previous size:    0  (Allocated)  File (Protected)
 c42da0b8 size:    8 previous size:   b8  (Free)       ....
 c42da0c0 size:   68 previous size:    8  (Allocated)  FMsl
 c42da128 size:  168 previous size:   68  (Allocated)  CcSc
 c42da290 size:   58 previous size:  168  (Allocated)  SAds
*c42da2e8 size:  180 previous size:   58  (Free ) *Io   Process: 8bedc030
		Pooltag Io   : general IO allocations, Binary : nt!io

c42da468 doesn't look like a valid small pool allocation, checking to see
if the entire page is actually part of a large page allocation...

c42da468 is not a valid large pool allocation, checking large session pool...
c42da468 is not valid pool. Checking for freed (or corrupt) pool
Bad previous allocation size @c42da468, last size was 30

***
*** An error (or corruption) in the pool was detected;
*** Attempting to diagnose the problem.
***
*** Use !poolval c42da000 for more details.


Pool page [ c42da000 ] is __inVALID.

Analyzing linked list...
[ c42da2e8 --> c42da5c8 (size = 0x2e0 bytes)]: Corrupt region


Scanning for single bit errors...

None found

Here we can see the linked list for the pool is corrupt, but the end of the list is with the next pool entry.

That is wrong, remember if we look back the next list entry should be c42da468 not c42da5c8 the cause is probably due to a driver overwriting the pool block.

0: kd> dt nt!_POOL_HEADER c42da2e8
   +0x000 PreviousSize     : 0y000001011 (0xb)
   +0x000 PoolIndex        : 0y0000000 (0)
   +0x002 BlockSize        : 0y000110000 (0x30)
   +0x002 PoolType         : 0y0001100 (0xc)
   +0x000 Ulong1           : 0x1830000b
   +0x004 PoolTag          : 0x20206f49
   +0x004 AllocatorBackTraceIndex : 0x6f49
   +0x006 PoolTagHash      : 0x2020

This is the pool allocation information which we were looking at.

0: kd> dt nt!_POOL_HEADER c42da468
   +0x000 PreviousSize     : 0y101010000 (0x150)
   +0x000 PoolIndex        : 0y0100011 (0x23)
   +0x002 BlockSize        : 0y101010011 (0x153)
   +0x002 PoolType         : 0y0100000 (0x20)
   +0x000 Ulong1           : 0x41534750
   +0x004 PoolTag          : 0x332c412c
   +0x004 AllocatorBackTraceIndex : 0x412c
   +0x006 PoolTagHash      : 0x332c

This pool is clearly corrupt as it's header has been overwritten.

 

A full memory dump would be needed to see what is being ran in user mode but MapPoint isn't necessarily the cause just because it's in the stack.


  • MagicAndre1981 likes this

#4
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,028 posts
  • Joined 28-August 05
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

he should also activate driver verifier:

 

http://msdn.microsof...8(v=vs.85).aspx


Posted Image

#5
Jared44

Jared44
  • Member
  • 7 posts
  • Joined 01-August 14
  • OS:Windows 7 x64
  • Country: Country Flag

Ah sorry about that, I forgot about asking him to enable Driver Verifier.

 

What is Driver Verifier?

Driver Verifier monitors Windows kernel-mode drivers, graphics drivers, and even 3rd party drivers to detect illegal function calls or actions that might corrupt the system. Driver Verifier can subject the Windows drivers to a variety of stresses and tests to find improper behavior.

Essentially, if there's a 3rd party driver believed to be causing the issues at hand, enabling Driver Verifier will help us see which specific driver is causing the problem.

Before enabling Driver Verifier, it is recommended to create a System Restore Point:

Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"

How to enable Driver Verifier:

Start > type "verifier" without the quotes > Select the following options -

1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (Windows 7 & 8/8.1)
- DDI compliance checking (Windows 8/8.1)
- Miscellaneous Checks
4. Select - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.

Important information regarding Driver Verifier:

- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled per my instructions above, it is monitoring all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.

- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.

If this happens, do not panic, do the following:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > Search > type "cmd" without the quotes.

- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
 Restart and boot into normal Windows.

If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > type "system restore" without the quotes.

- Choose the restore point you created earlier.

-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods: 5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

How long should I keep Driver Verifier enabled for?

I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.

My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?

- If you have the system set to generate Small Memory Dumps, they will be located in %systemroot%\Minidump.

- If you have the system set to generate Kernel-Memory Dumps, it will be located in %systemroot%[B] and labeled [B]MEMORY.DMP.



#6
PlanoTechs

PlanoTechs

    Newbie

  • Member
  • 12 posts
  • Joined 06-February 14
  • OS:Windows 7 x86
  • Country: Country Flag

Thanks very much, everyone. I'll get to work on Driver Verifier and see what I can find out.


  • Jared44 likes this

#7
PlanoTechs

PlanoTechs

    Newbie

  • Member
  • 12 posts
  • Joined 06-February 14
  • OS:Windows 7 x86
  • Country: Country Flag

Okay, so I started the Driver Verifier, and then the vehicle got driven during a couple of 12 hour shifts. It looks like the system crashed sometime on the 12th, so I grabbed the memory dump and the minidump and then disabled Driver Verifier.

 

I have uploaded the dumps here: https://onedrive.liv...F3BAAA41FB7!114

 

Thanks again, everyone.



#8
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,028 posts
  • Joined 28-August 05
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

update the driver vsergps.sys (looks like a Modem or a different driver for a device with uses the COM port)

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_BEYOND_END_OF_ALLOCATION (cd)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: a0e55000, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: 8303b2a0, if non-zero, the address which referenced memory.
Arg4: 00000000, Mm internal code.

Debugging Details:
------------------


DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xCD

PROCESS_NAME:  MapPoint.exe

CURRENT_IRQL:  0

TRAP_FRAME:  e005f80c -- (.trap 0xffffffffe005f80c)
ErrCode = 00000000


STACK_TEXT:  
nt!MmAccessFault
nt!KiTrap0E
nt!memmove
WARNING: Stack unwind information not available. Following frames may be wrong.
vsergps
vsergps
nt!IovCallDriver
nt!IofCallDriver
serenum!Serenum_DispatchPassThrough
serenum!Serenum_CreateClose
nt!IovCallDriver
nt!IofCallDriver
nt!IopParseDevice
nt!ObpLookupObjectName
nt!ObOpenObjectByName
nt!IopCreateFile
nt!NtCreateFile
nt!KiSystemServicePostCall
0x0


IMAGE_NAME:  vsergps.sys

FAILURE_BUCKET_ID:  0xCD_VRF_vsergps+331c

FAILURE_ID_HASH_STRING:  km:0xcd_vrf_vsergps+331c

    Image path: \SystemRoot\system32\DRIVERS\vsergps.sys
    Image name: vsergps.sys
    Timestamp:        Wed Jul 29 12:37:36 2009

Edited by MagicAndre1981, 15 August 2014 - 10:08 AM.

Posted Image

#9
Jared44

Jared44
  • Member
  • 7 posts
  • Joined 01-August 14
  • OS:Windows 7 x64
  • Country: Country Flag
BugCheck CD, {a0e55000, 0, 8303b2a0, 0}

This bugcheck indicates a driver allocated a specific number of memory but referenced more bytes thna was allocated.

0: kd> .trap 0xffffffffe005f80c
ErrCode = 00000000
eax=51510031 ebx=00000014 ecx=00000005 edx=00000000 esi=a0e54ff8 edi=d10f5008
eip=8303b2a0 esp=e005f880 ebp=e005f888 iopl=0         nv up ei ng nz ac po cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010293
nt!memmove+0x120:
8303b2a0 8b448ef4        mov     eax,dword ptr [esi+ecx*4-0Ch] ds:0023:a0e55000=????????

We can see a move operation taking place, a dword value stored in the eax register was being moved to a memory location calculated by adding the esi and ecx registers, then multiplying it by 4. This results in memory write to a0e55000 which is more bytes than allocated.

0: kd> !pte a0e55000
                    VA a0e55000
PDE at C0602838            PTE at C05072A8
contains 0000000073825863  contains 0000000200000000
pfn 73825     ---DA--KWEV  not valid
                            PageFile:  0
                            Offset: 2
                            Protect: 0

Here we can see the address was invalid, this is because it wasn't present in memory was it wasn't allocated.

0: kd> dc a0e55000
a0e55000  ???????? ???????? ???????? ????????  ????????????????
a0e55010  ???????? ???????? ???????? ????????  ????????????????
a0e55020  ???????? ???????? ???????? ????????  ????????????????
a0e55030  ???????? ???????? ???????? ????????  ????????????????
a0e55040  ???????? ???????? ???????? ????????  ????????????????
a0e55050  ???????? ???????? ???????? ????????  ????????????????
a0e55060  ???????? ???????? ???????? ????????  ????????????????
a0e55070  ???????? ???????? ???????? ????????  ????????????????

Yep, no memory addresses present.

e005f7f4 83042aa8 00000000 a0e55000 00000000 nt!MmAccessFault+0x104
e005f7f4 8303b2a0 00000000 a0e55000 00000000 nt!KiTrap0E+0xdc
e005f888 b23ee31c d10f5008 a0e54ff8 00000014 nt!memmove+0x120
WARNING: Stack unwind information not available. Following frames may be wrong.
e005f8b4 b23f1f49 b3100898 a0e54ff8 a4d60e30 vsergps+0x331c
e005f8dc 833336c3 b31007e0 00000000 b30fe3e0 vsergps+0x6f49
e005f900 83038bd5 00000000 82aa0008 b31007e0 nt!IovCallDriver+0x258
e005f914 b2d7c61f e9a1f378 00000000 82aa0008 nt!IofCallDriver+0x1b
e005f928 b2d7c6e7 00000000 01aa0008 82aa0008 serenum!Serenum_DispatchPassThrough+0x65
e005f950 833336c3 b30fe328 b31007e0 d33154f8 serenum!Serenum_CreateClose+0xa5
e005f974 83038bd5 00000000 d3315554 b30fe328 nt!IovCallDriver+0x258
e005f988 83248516 cab224b1 e005fb30 00000000 nt!IofCallDriver+0x1b
e005fa60 83227d2e b31007e0 a5df8378 bf5c6d20 nt!IopParseDevice+0xee6
e005fadc 83238157 00000000 e005fb30 00000040 nt!ObpLookupObjectName+0x4fa
e005fb38 8322ec35 001eebc0 85df8378 83042a01 nt!ObOpenObjectByName+0x165
e005fbb4 832524b4 001eec1c 80100080 001eebc0 nt!IopCreateFile+0x673
e005fc00 8303f8c6 001eec1c 80100080 001eebc0 nt!NtCreateFile+0x34
e005fc00 775a70f4 001eec1c 80100080 001eebc0 nt!KiSystemServicePostCall
001eec24 00000000 00000000 00000000 00000000 0x775a70f4

vsergps.sys may not actually be the cause but it's likely.

0: kd> lm vm vsergps
start    end        module name
b23eb000 b2400000   vsergps    (no symbols)           
    Loaded symbol image file: vsergps.sys
    Image path: \SystemRoot\system32\DRIVERS\vsergps.sys
    Image name: vsergps.sys
    Timestamp:        Wed Jul 29 11:37:36 2009 (4A702670)
    CheckSum:         00020B18
    ImageSize:        00015000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

I'm struggling to find anything on the driver apart from the timestamp, there's absolutely nothing coming up from google regarding this.

If you know what it is then update that software, can you also tell us the program name.



#10
PlanoTechs

PlanoTechs

    Newbie

  • Member
  • 12 posts
  • Joined 06-February 14
  • OS:Windows 7 x86
  • Country: Country Flag

Looks like vsergps.sys is part of the Mitac Virtual GPS System. File version 2.0.0.1.

 

I could not, however, find any information on the Mitac website or on the websites of any of the brands they own (Magellan, Mio, or Navman) about this Virtual GPS software.

 

I spoke to Getac (the brand of computer I'm dealing with), and it appears that they've rebranded the Virtual GPS software as their own. It's a virtual port splitter and allows multiple virtual ports to use the GPS signal coming through the physical port. MapPoint was using it because it was pointing to one of the virtual COM ports for its GPS signal.

 

I uninstalled the software, deleted the driver, and removed the "Multi-Serial Port" from Device Manager. This should resolve the problem.

 

Again, I couldn't have done this without y'all's help. I greatly appreciate your expertise.


Edited by PlanoTechs, 15 August 2014 - 02:50 PM.


#11
Jared44

Jared44
  • Member
  • 7 posts
  • Joined 01-August 14
  • OS:Windows 7 x64
  • Country: Country Flag

Okay, any other problems don't hesitate to post back.



#12
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,028 posts
  • Joined 28-August 05
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator


 

I spoke to Getac (the brand of computer I'm dealing with), and it appears that they've rebranded the Virtual GPS software as their own. It's a virtual port splitter and allows multiple virtual ports to use the GPS signal coming through the physical port. MapPoint was using it because it was pointing to one of the virtual COM ports for its GPS signal.

 

I uninstalled the software, deleted the driver, and removed the "Multi-Serial Port" from Device Manager. This should resolve the problem.

 

 

thanks for the information, so my guess of the COM port was correct. Nice to hear that you fixed it :)


Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN