BSOD on startup every day - Trying to identify specific causation

YELDUR 1

Hi all,

For the past week or so I've been experiencing BSODs whenever I power on the computer first during the day; after we REACH the Windows splash screen, I have no further issues, even when restarting.

rom reviewing the Event Logs I can see one in there stating the following:

"The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly."
followed closely by:
"The driver \Driver\WudfRd failed to load for the device PCI\VEN_5853&DEV_1003\1&1a590e2c&0&03."

So far as far as causation goes, this is the only thing throwing flags, as I've successfully performed Windows Memory Diagnostics with no issues being found, system file checks with no corruption being found, and lastly checking in on the device manager and checking all tabs to ensure nothing in there is throwing errors. As far as I can tell, these issues began this week.

I know that this week I plugged in a new keyboard that is different to that of my old one, and in doing so I needed to download some more drivers for it, however I went from a Roccat Aimo 120 to a Roccat Aimo 100, to which the only real difference is the fact that the 100 doesn't have a hand wrest with the keyboard. Besides that, it doesn't appear any different specification wise, so I'm unclear on whether this is the cause. I also changed my power plan on the rig from Balanced to Performance, though I don't expect this to be the cause.

Originally I believed perhaps that drivers were the issue, however, now I'm not so sure.

To cut a long story short, I ran a bugcheck analysis using the Windows Debug tools which threw me the following:

12: kd> !analyze -v
***

    *
    Bugcheck Analysis *
    *

***

MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000041792, A corrupt PTE has been detected. Parameter 2 contains the address of
the PTE. Parameters 3/4 contain the low/high parts of the PTE.
Arg2: ffff83816716da08
Arg3: 0000800000000000
Arg4: 0000000000000000

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 3249

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 10478

Key : Analysis.Init.CPU.mSec
Value: 1249

Key : Analysis.Init.Elapsed.mSec
Value: 65592

Key : Analysis.Memory.CommitPeak.Mb
Value: 73

Key : MemoryManagement.PFN
Value: 800000000

Key : WER.OS.Branch
Value: vb_release

Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key : WER.OS.Version
Value: 10.0.19041.1


BUGCHECK_CODE: 1a

BUGCHECK_P1: 41792

BUGCHECK_P2: ffff83816716da08

BUGCHECK_P3: 800000000000

BUGCHECK_P4: 0

MEMORY_CORRUPTOR: ONE_BIT

BLACKBOXNTFS: 1 (!blackboxntfs)


CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: autochk.exe

STACK_TEXT:
ffff988d4679f388 fffff8054624423a : 000000000000001a 0000000000041792 ffff83816716da08 0000800000000000 : nt!KeBugCheckEx
ffff988d4679f390 fffff80546242a6f : ffff8688b7883700 0000000000000000 ffff868800000002 0000000000000000 : nt!MiDeleteVa+0x153a
ffff988d4679f490 fffff80546212c10 : 0000000000000001 ffff988d00000000 ffff8688b7883550 ffff8688b7910080 : nt!MiDeletePagablePteRange+0x48f
ffff988d4679f7a0 fffff80546252277 : 000000002ce2db4f 0000000000000000 ffff868800000000 fffff80500000000 : nt!MiDeleteVad+0x360
ffff988d4679f8b0 fffff805465f908c : ffff988d00000000 0000000000000000 ffff988d4679fa10 000002ce2db30000 : nt!MiFreeVadRange+0xa3
ffff988d4679f910 fffff805465f8b65 : 00007ff70784b980 000002ce44f49e50 ffff988d4679fad8 0000000000000000 : nt!MmFreeVirtualMemory+0x4ec
ffff988d4679fa60 fffff80546408bb8 : ffff8688b7910080 ffff868800000001 0000000000000000 ffff868800000000 : nt!NtFreeVirtualMemory+0x95
ffff988d4679fac0 00007ffa4676d134 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28
000000e2f757a4b8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffa`4676d134


MODULE_NAME: hardware

IMAGE_NAME: memory_corruption

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BIT

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {e3faf315-c3d0-81db-819a-6c43d23c63a7}

Followup: MachineOwner

I work in tech, but I am by no means a master, and to be frank, I don't know what I'm reading here. I can gather that it is telling me that there's something wrong with memory, in that it's seeing corruption, but other than that I'm honestly not too sure.

Here's the event log that prompted me finding these issues:

Event ID 1001

The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001a (0x0000000000041792, 0xffff83816716da08, 0x0000800000000000, 0x0000000000000000). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 15812135-3f48-42c4-b474-5b9fd5a5cf7e.

If there's any more information required, please don't hesitate to ask and I will do my best to gather it for you.

71 answers

Reza-Ameri 16,836 Reputation points

2021-10-15T15:34:40.743+00:00

In case you are able to boot into the system, then perform a Clean Boot and see if the problem persist, take a look at:
https://support.microsoft.com/en-us/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd
If not, you may enable services one by one to see which one is causing the problem.
Are you facing the same issue in the Safe Mode too?
Please sign in to rate this answer.

1 person found this answer helpful.
YELDUR 1 Reputation point

2021-10-15T15:41:06.76+00:00

Hi Reza,

I can certainly give this a go, but given that the issue only shows up when I do a fresh boot after a lengthy period of time, I'll need to do this tonight to see if there's any differences.

I've thus far not tested in Safe Mode, because after it finishes automatically repairing, it boots up and functions completely normally for the rest of the day. The only time this issue presents itself is on a fresh boot after I've gone to sleep and woken up - At least from my testing so far of performing a restart during the day.

I'll give this a go tonight/tomorrow and will let you know whether this changes anything.

Best Regards,

Yeldur

Reza-Ameri 16,836 Reputation points

2021-10-16T16:42:51.02+00:00

Are you facing the same issue in the Clean Boot too?
Try open start and search for feedback and open Feedback Hub app and file a bug report and attach all your dump files there.

YELDUR 1 Reputation point

2021-10-16T18:31:08.88+00:00

Hi Reza,

If you see my below post I mentioned how I did experience another crash today, however from what I can tell it was not a BSOD, as the computer simply powered off, forcing me to initiate the startup process once again.

The logs from performing that are below, unfortunately there's no specific identifier on any post other than that as of now (19:30 UK time) it was posted 6 hours ago.

Reza-Ameri 16,836 Reputation points

2021-10-17T16:43:43.76+00:00

This might be due to the hardware issue, also check your BIOS or UEFI, because sometimes you may setup timer in the BIOS/UEFI to auto-shutdown.
Try discuss this with your device's manufacturer support too.

YELDUR 1 Reputation point

2021-10-17T16:48:02.297+00:00

Hi Reza,

This rig is one I bought the parts for and put together myself, not one that I've bought direct from a shop, in order to reach the manufacturer I'd need to know first what part specifically is failing/has failed, from what Docs has said so far, or the direction he's looking, he's focused on Disk and Memory, so I expect it's possible that it's one of those two, if anything.
Sign in to comment
Darrell Gorter 1,296 Reputation points

2021-10-15T17:41:59.407+00:00

Hello,
Are you running Citrix Software?
The PNP id VEN_5853&DEV_1003\1&1a590e2c&0&03 you mention is for a Citrix Indirect Display Adapter.
Maybe try disabling this as a test to see if you get the same error message
Please sign in to rate this answer.

1 person found this answer helpful.
YELDUR 1 Reputation point

2021-10-15T20:21:54.76+00:00

Hi Dgorter, I can confirm that yes, I do have Citrix Workspace installed for my work, however I have disabled it on startup already, so I would be surprised if this is causing issues. That being said, I can uninstall/reinstall this with no issues, as I'm not presently using this.

I'll completely uninstall it from my system entirely for tonight and we'll see if we get any changes. Thanks for the suggestion!
Sign in to comment

YELDUR 1

Hi everyone,

I have booted up the machine today and was not met with a BSOD, or a repair, however, the machine did reboot from a bugcheck just like before, I've gathered the MiniDump file like before and am posting it here:

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

INTERNAL_POWER_ERROR (a0)
The power policy manager experienced a fatal error.
Arguments:
Arg1: 000000000000010e, The disk subsystem returned corrupt data while reading from the
 hibernation file.
Arg2: 000000000000000a
Arg3: 000000000000f794, Incorrect checksum
Arg4: 000000000000e2f1, Previous disk read's checksum

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2265

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 6154

    Key  : Analysis.Init.CPU.mSec
    Value: 608

    Key  : Analysis.Init.Elapsed.mSec
    Value: 80411

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 70


DUMP_FILE_ATTRIBUTES: 0x9
  Hiber Crash Dump
  Kernel Generated Triage Dump

BUGCHECK_CODE:  a0

BUGCHECK_P1: 10e

BUGCHECK_P2: a

BUGCHECK_P3: f794

BUGCHECK_P4: e2f1

CUSTOMER_CRASH_COUNT:  1

STACK_TEXT:  
ffff9806`717a7608 fffff805`2f9a13d4     : 00000000`000000a0 00000000`0000010e 00000000`0000000a 00000000`0000f794 : nt!KeBugCheckEx
ffff9806`717a7610 fffff805`2f9aebf1     : 00000000`00000001 ffffd208`fc959a90 00000005`c1b61000 ffffd209`41c3e000 : nt!PopHiberChecksumHiberFileData+0x10784
ffff9806`717a7670 fffff805`2f9a09ad     : 00000000`00000000 ffffe584`ac235f38 00000000`00000001 00000000`00000001 : nt!PopRequestRead+0x7d
ffff9806`717a76e0 fffff805`2f98fde0     : 0000b461`8930c9e4 ffffe584`ac235f38 00000000`00000000 00000000`00000000 : nt!PopRestoreHiberContext+0x10a75
ffff9806`717a7770 fffff805`2f98fb1e     : fffff805`2fc503a0 ffff9806`717a78f0 fffff805`2fc503a0 00000000`00000100 : nt!PopHandleNextState+0x210
ffff9806`717a77c0 fffff805`2f98f89b     : 00000000`00000100 fffff805`2fc503a0 00000079`80c46556 00000000`00989680 : nt!PopIssueNextState+0x1a
ffff9806`717a77f0 fffff805`2f992ba9     : ffff9806`717a7a00 00000000`00000018 00000000`00000000 fffff805`2f99292f : nt!PopInvokeSystemStateHandler+0x33b
ffff9806`717a79f0 fffff805`2f99263a     : ffffffff`00000000 ffffffff`ffffffff 00000000`00000000 00000000`00000000 : nt!PopEndMirroring+0x1e9
ffff9806`717a7ab0 fffff805`2f992325     : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!MmDuplicateMemory+0x2be
ffff9806`717a7b40 fffff805`2f355855     : ffffd209`031af000 ffffd209`031af040 fffff805`2f9921f0 00000000`00000001 : nt!PopTransitionToSleep+0x135
ffff9806`717a7bd0 fffff805`2f3fe818     : ffff8081`a5200180 ffffd209`031af040 fffff805`2f355800 00000000`00000000 : nt!PspSystemThreadStartup+0x55
ffff9806`717a7c20 00000000`00000000     : ffff9806`717a8000 ffff9806`717a1000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28


SYMBOL_NAME:  nt!PopHiberChecksumHiberFileData+10784

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

IMAGE_VERSION:  10.0.19041.1237

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  10784

FAILURE_BUCKET_ID:  0xa0_10e_nt!PopHiberChecksumHiberFileData

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {28ba2091-a476-6f77-2dec-6241bccd4685}

Followup:     MachineOwner
---------

On the bright side it appears different to that of what we've been seeing previously. I've ran another chkdsk on the C: and D: drives which discovered no issues at all.

We have a couple more errors inside the Event Log, here they are in order (top comes first, bottom came last):

Event ID 10029
The activation of the CLSID Windows.Media.Capture.AppCaptureManager timed out waiting for the service BcastDVRUserService_4c8f0a2 to stop.

Event ID 29

Windows failed fast startup with error status 0xC0000001.

Event ID 6008

The previous system shutdown at 3:52:34 AM on 10/16/2021 was unexpected.

Event ID 41

The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Event ID 1001

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000a0 (0x000000000000010e, 0x000000000000000a, 0x000000000000f794, 0x000000000000e2f1). A dump was saved in: C:\WINDOWS\Minidump\101621-9000-01.dmp. Report Id: af119261-f2ed-4e8e-be4b-0c021838a51c.

Event ID 10005

DCOM got error "87" attempting to start the service GamingServices with arguments "Unavailable" in order to run the server:
{3E8C9ABE-9226-4609-BF5B-60288A391DEE}

No BSOD, but issues appear to be continuing even when loading up into a clean boot environment unfortunately, and after uninstalling Citrix.

Docs 15,146 Reputation points

2021-10-16T14:09:16.97+00:00

Please run the V2 log collector and post a share link into this thread using one drive, drop box, or google drive:
https://www.windowsq.com/t/bsod-posting-instructions.17/
https://www.windowsq.com/resources/v2-log-collector.8/
https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html

%
%
%
%
%

The Microsoft Q&A email notifications are not working in my account.
A thread was opened in the feedback area.
To date there has been to fix.
So there likely will no longer be a fast reply to posts.
And posts may be missed.
Comments can be made in the feedback thread to indicate that a post was made.

.
.
.
.
.
Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post: Vote = a helpful post
.
.
.
.
.
Please sign in to rate this answer.

1 person found this answer helpful.
YELDUR 1 Reputation point

2021-10-16T14:34:30.457+00:00

Hi Docs,

Please see the following uploaded V2 logs as requested:

https://drive.google.com/file/d/1duChJB7xgYj40PchNkl6Cj97i5RpYn5o/view?usp=sharing
Sign in to comment
Docs 15,146 Reputation points

2021-10-16T21:04:18.93+00:00

Please perform the following steps:
(some may have been performed earlier in the troubleshooting)

1) Open administrative command prompt and type or copy and paste:

sfc /scannow
dism /online /cleanup-image /restorehealth

When these have completed > right click on the top bar or title bar of the administrative command box > left click on edit then select all > right click on the top bar again > left click on edit then copy > paste into this thread

2) Open administrative command prompt and type or copy and paste: (all at one time)

wmic recoveros set autoreboot = false
wmic recoveros set debuginfotype = 7
wmic recoveros get autoreboot
wmic recoveros get debuginfotype
wmic computersystem where name=%computername% set automaticmanagedpagefile=true
wmic computersystem where name=%computername% get automaticmanagedpagefile
bcdedit /enum {badmemory}
powercfg -h off

When these have completed > right click on the top bar or title bar of the administrative command box > left click on edit then select all > right click on the top bar again > left click on edit then copy > paste into this thread

3) Open administrative command prompt and type or copy and paste:

chkdsk /r /v W:
(change W to the applicable drive letter: C or D)
(test all drives)
(the windows drive testing can be performed overnight)

C:\WINDOWS\system32>chkdsk /r /v C:
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process. Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N)

(type: y)

https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html
https://www.tenforums.com/tutorials/2859-enable-disable-hibernate-windows-10-a.html
https://www.tenforums.com/tutorials/40734-drive-error-checking-windows-10-a.html
https://www.tenforums.com/tutorials/40822-read-chkdsk-log-event-viewer-windows-10-a.html

4) Run Memtest86 for two tests of four passes:

https://www.memtest86.com/

Repeat the test so that there are a total of eight passes.

Find a camera or smartphone camera to take pictures and post images into this thread.

For any problems posting images please use share links.

Memtest86 has a feature to view a text report.

Please post both images and text reports.

5) Uninstall and reinstall:
e1r68x64.sys
Intel(R) I211 Gigabit Network Connection

Name [00000001] Intel(R) I211 Gigabit Network Connection
Adapter Type Ethernet 802.3
Product Type Intel(R) I211 Gigabit Network Connection
PNP Device ID PCI\VEN_8086&DEV_1539&SUBSYS_85F01043&REV_03\6&2AD155D1&0&0028000A
Driver C:\WINDOWS\SYSTEM32\DRIVERS\E1R68X64.SYS (12.18.11.1, 579.37 KB (593,272 bytes), 13/07/2021 22:03)

e1rexpress Intel(R) PCI Express Network Connection Driver R c:\windows\system32\drivers\e1r68x64.sys

6) For any new BSOD after performing all of the above steps run V2 and post a share link into this thread.

.
.
.
.
.
Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post: Vote = a helpful post
.
.
.
.
.
Please sign in to rate this answer.

1 person found this answer helpful.
YELDUR 1 Reputation point

2021-10-16T22:34:27.33+00:00

Hi Docs,

I'm familiar with most of these, so am happy to give them a go however not so much with what this does:

"2) Open administrative command prompt and type or copy and paste: (all at one time)

wmic recoveros set autoreboot = false
wmic recoveros set debuginfotype = 7
wmic recoveros get autoreboot
wmic recoveros get debuginfotype
wmic computersystem where name=%computername% set automaticmanagedpagefile=true
wmic computersystem where name=%computername% get automaticmanagedpagefile
bcdedit /enum {badmemory}
powercfg -h off

When these have completed > right click on the top bar or title bar of the administrative command box > left click on edit then select all > right click on the top bar again > left click on edit then copy > paste into this thread"

I just want to know what they do before I go ahead and do them, as it looks like I'm "disabling" the OS recovery which in my mind immediately springs to "Next BSOD = Bricked PC" - Just being cautious is all :P - I appreciate your time and assistance greatly!
Sign in to comment