Random, Frequent Blue Screens - WINDBG suspects ntkrnlmp.exe

Hi,

I've been having random BSOD's on my windows 7 installation. It sometimes happens a week apart, recently its been happening almost daily.  I personally suspect a 3rd party driver however can't pinpoint the issue.  I've run Driver Verifier, WhoCrashed and WINDBG to try to ascertain which one it is, however all are telling me its the kernel... which is quite unlikely.

When Driver Verifier is running (on all drivers as it claims it cannot find any unsigned drivers) the computer does not get past the windows loading screen, and the BSOD indicates the fault is HIDclass.sys. Boot logging claims that only 50 drivers have loaded, and thousands more haven't loaded prior to the crash.

I can't upload the dump as its 800mb unzipped and about 130mb zipped. I have refrained from copying in the boot log as it contains thousands of lines of text, however if they can help, i can upload them somewhere.

What I have done, is attached firstly the WINDBG Report and Secondly the Whocrashed analysis.

If anyone can assist faultfinding the faulty driver, it would be greatly appreciated.

Thanks in Advance

WINDBG Report:

Microsoft (R) Windows Debugger Version 6.2.8250.0 AMD64

Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\MEMORY.DMP]

Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: srv*c:\cache*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 7601.17790.amd64fre.win7sp1_gdr.120305-1505

Machine Name:

Kernel base = 0xfffff80003663000 PsLoadedModuleList = 0xfffff800038a7650

Debug session time: Thu Apr 26 13:25:39.383 2012 (UTC + 9:30)

System Uptime: 0 days 10:43:39.320

Loading Kernel Symbols

...............................................................

................................................................

....................................................

Loading User Symbols

PEB is paged out (Peb.Ldr = 00000000`7efdf018).  Type ".hh dbgerr001" for details

Loading unloaded module list

.......

TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\oca.ini, error 2

TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\winxp\triage.ini, error 2

TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\user.ini, error 2

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1A, {41201, fffff68000094070, 63700003cc848025, fffffa8012789230}

TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\modclass.ini, error 2

Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+13c82 )

Followup: MachineOwner

---

2: kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

MEMORY_MANAGEMENT (1a)

    # Any other values for parameter 1 must be individually examined.

Arguments:

Arg1: 0000000000041201, The subtype of the bugcheck.

Arg2: fffff68000094070

Arg3: 63700003cc848025

Arg4: fffffa8012789230

Debugging Details:

---

TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\modclass.ini, error 2

BUGCHECK_STR:  0x1a_41201

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

PROCESS_NAME:  avp.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff8000373b83e to fffff800036dfc80

STACK_TEXT: 

fffff88009535878 fffff8000373b83e : 000000000000001a 0000000000041201 fffff68000094070 63700003cc848025 : nt!KeBugCheckEx

fffff88009535880 fffff800036aabe1 : fffffa800da79d01 0000000000000001 0000000000000103 63700003cc848025 : nt! ?? ::FNODOBFM::`string'+0x13c82

fffff880095358c0 fffff800036aa87a : fffffa8012789230 fffffa801216db30 fffffa801216db30 000000001280e000 : nt!MiQueryAddressState+0x2b1

fffff88009535910 fffff800039b9494 : fffff88000000020 000000001280f000 fffffa8012789230 0000000000000000 : nt!MiQueryAddressSpan+0xaa

fffff88009535980 fffff800036def13 : 0000000000003fc8 fffffa8013d9fb60 0000000000000000 000000000008e2a8 : nt!NtQueryVirtualMemory+0x382

fffff88009535a70 00000000771c154a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13

000000000008e288 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x771c154a

STACK_COMMAND:  kb

FOLLOWUP_IP:

nt! ?? ::FNODOBFM::`string'+13c82

fffff800`0373b83e cc              int     3

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt! ?? ::FNODOBFM::`string'+13c82

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4f558b55

FAILURE_BUCKET_ID:  X64_0x1a_41201_nt!_??_::FNODOBFM::_string_+13c82

BUCKET_ID:  X64_0x1a_41201_nt!_??_::FNODOBFM::_string_+13c82

Followup: MachineOwner

---

WhoCrashed Reports:

On Thu 26/04/2012 3:55:39 AM GMT your computer crashed

crash dump file: C:\Windows\Minidump\042612-20280-01.dmp

This was probably caused by the following module: ntoskrnl.exe (nt+0x7CC80)

Bugcheck code: 0x1A (0x41201, 0xFFFFF68000094070, 0x63700003CC848025, 0xFFFFFA8012789230)

Error: MEMORY_MANAGEMENT

file path: C:\Windows\system32\ntoskrnl.exe

product: Microsoft® Windows® Operating System

company: Microsoft Corporation

description: NT Kernel & System

Bug check description: This indicates that a severe memory management error occurred.

This might be a case of memory corruption. More often memory corruption happens because of software errors in buggy drivers, not because of faulty RAM modules.

The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.

On Thu 26/04/2012 3:55:39 AM GMT your computer crashed

crash dump file: C:\Windows\memory.dmp

This was probably caused by the following module: ntkrnlmp.exe (nt!KeBugCheckEx+0x0)

Bugcheck code: 0x1A (0x41201, 0xFFFFF68000094070, 0x63700003CC848025, 0xFFFFFA8012789230)

Error: MEMORY_MANAGEMENT

Bug check description: This indicates that a severe memory management error occurred.

This might be a case of memory corruption. More often memory corruption happens because of software errors in buggy drivers, not because of faulty RAM modules.

The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.

On Wed 25/04/2012 5:10:54 PM GMT your computer crashed

crash dump file: C:\Windows\Minidump\042612-23446-01.dmp

This was probably caused by the following module: ntoskrnl.exe (nt+0x7CC80)

Bugcheck code: 0xA (0xFFFFF680002BDAD8, 0x0, 0x0, 0xFFFFF80003794C35)

Error: IRQL_NOT_LESS_OR_EQUAL

file path: C:\Windows\system32\ntoskrnl.exe

product: Microsoft® Windows® Operating System

company: Microsoft Corporation

description: NT Kernel & System

Bug check description: This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.

On Wed 25/04/2012 10:06:18 AM GMT your computer crashed

crash dump file: C:\Windows\Minidump\042512-15724-01.dmp

This was probably caused by the following module: hidclass.sys (HIDCLASS+0x2710)

Bugcheck code: 0xC9 (0x220, 0xFFFFF88005A02710, 0xFFFFF9800C610CF0, 0xFFFFFA8010CE85B0)

Error: DRIVER_VERIFIER_IOMANAGER_VIOLATION

file path: C:\Windows\system32\drivers\hidclass.sys

product: Microsoft® Windows® Operating System

company: Microsoft Corporation

description: Hid Class Library

Bug check description: This is the bug check code for all Driver Verifier

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system which cannot be identified at this time.

On Wed 25/04/2012 9:53:05 AM GMT your computer crashed

crash dump file: C:\Windows\Minidump\042512-17768-01.dmp

This was probably caused by the following module: hidclass.sys (HIDCLASS+0x2710)

Bugcheck code: 0xC9 (0x220, 0xFFFFF880059E5710, 0xFFFFF9800C828CF0, 0xFFFFFA8010DC15B0)

Error: DRIVER_VERIFIER_IOMANAGER_VIOLATION

file path: C:\Windows\system32\drivers\hidclass.sys

product: Microsoft® Windows® Operating System

company: Microsoft Corporation

description: Hid Class Library

Bug check description: This is the bug check code for all Driver Verifier

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system which cannot be identified at this time.

On Wed 25/04/2012 9:38:52 AM GMT your computer crashed

crash dump file: C:\Windows\Minidump\042512-15615-01.dmp

This was probably caused by the following module: hidclass.sys (HIDCLASS+0x2710)

Bugcheck code: 0xC9 (0x220, 0xFFFFF88005826710, 0xFFFFF9800C5BACF0, 0xFFFFFA80111E95B0)

Error: DRIVER_VERIFIER_IOMANAGER_VIOLATION

file path: C:\Windows\system32\drivers\hidclass.sys

product: Microsoft® Windows® Operating System

company: Microsoft Corporation

description: Hid Class Library

Bug check description: This is the bug check code for all Driver Verifier

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system which cannot be identified at this time.

On Wed 25/04/2012 9:29:40 AM GMT your computer crashed

crash dump file: C:\Windows\Minidump\042512-18439-01.dmp

This was probably caused by the following module: ntoskrnl.exe (nt+0x7CC80)

Bugcheck code: 0xC2 (0x7, 0x109B, 0x150008, 0xFFFFFA8013115700)

Error: BAD_POOL_CALLER

file path: C:\Windows\system32\ntoskrnl.exe

product: Microsoft® Windows® Operating System

company: Microsoft Corporation

description: NT Kernel & System

Bug check description: This indicates that the current thread is making a bad pool request.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.

On Tue 24/04/2012 4:54:40 PM GMT your computer crashed

crash dump file: C:\Windows\Minidump\042512-23431-01.dmp

This was probably caused by the following module: ntoskrnl.exe (nt+0x7CC50)

Bugcheck code: 0x1E (0x0, 0x0, 0x0, 0x0)

Error: KMODE_EXCEPTION_NOT_HANDLED

file path: C:\Windows\system32\ntoskrnl.exe

product: Microsoft® Windows® Operating System

company: Microsoft Corporation

description: NT Kernel & System

Bug check description: This indicates that a kernel-mode program generated an exception which the error handler did not catch.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.

On Sun 22/04/2012 4:49:55 PM GMT your computer crashed

crash dump file: C:\Windows\Minidump\042312-25740-01.dmp

This was probably caused by the following module: ntoskrnl.exe (nt+0x7CD40)

Bugcheck code: 0xA (0xFFFFFA804C8EB520, 0x2, 0x0, 0xFFFFF800036E4252)

Error: IRQL_NOT_LESS_OR_EQUAL

file path: C:\Windows\system32\ntoskrnl.exe

product: Microsoft® Windows® Operating System

company: Microsoft Corporation

description: NT Kernel & System

Bug check description: This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.

On Sun 22/04/2012 3:39:57 AM GMT your computer crashed

crash dump file: C:\Windows\Minidump\042212-28704-01.dmp

This was probably caused by the following module: ntoskrnl.exe (nt+0x7CD40)

Bugcheck code: 0xA (0x28, 0x2, 0x0, 0xFFFFF8000371D018)

Error: IRQL_NOT_LESS_OR_EQUAL

file path: C:\Windows\system32\ntoskrnl.exe

product: Microsoft® Windows® Operating System

company: Microsoft Corporation

description: NT Kernel & System

Bug check description: This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.

On Fri 20/04/2012 5:44:42 AM GMT your computer crashed

crash dump file: C:\Windows\Minidump\042012-92056-01.dmp

This was probably caused by the following module: nvlddmkm.sys (nvlddmkm+0x1AF0DC)

Bugcheck code: 0x116 (0xFFFFFA80117544E0, 0xFFFFF8800FBC70DC, 0x0, 0x2)

Error: VIDEO_TDR_ERROR

file path: C:\Windows\system32\drivers\nvlddmkm.sys

product: NVIDIA Windows Kernel Mode Driver, Version 296.10

company: NVIDIA Corporation

description: NVIDIA Windows Kernel Mode Driver, Version 296.10

Bug check description: This indicates that an attempt to reset the display driver and recover from a timeout failed.

A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: nvlddmkm.sys (NVIDIA Windows Kernel Mode Driver, Version 296.10 , NVIDIA Corporation).

Google query: nvlddmkm.sys NVIDIA Corporation VIDEO_TDR_ERROR

On Sun 15/04/2012 4:50:38 AM GMT your computer crashed

crash dump file: C:\Windows\Minidump\041512-26239-01.dmp

This was probably caused by the following module: ntoskrnl.exe (nt+0x7CD40)

Bugcheck code: 0xA (0x0, 0x2, 0x0, 0xFFFFF800036CA0D7)

Error: IRQL_NOT_LESS_OR_EQUAL

file path: C:\Windows\system32\ntoskrnl.exe

product: Microsoft® Windows® Operating System

company: Microsoft Corporation

description: NT Kernel & System

Bug check description: This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.

On Sun 8/04/2012 12:13:04 AM GMT your computer crashed

crash dump file: C:\Windows\Minidump\040812-21231-01.dmp

This was probably caused by the following module: ntoskrnl.exe (nt+0x7CD40)

Bugcheck code: 0x50 (0xFFFFFA7F9D626CD5, 0x1, 0xFFFFF8800169A0FC, 0x7)

Error: PAGE_FAULT_IN_NONPAGED_AREA

file path: C:\Windows\system32\ntoskrnl.exe

product: Microsoft® Windows® Operating System

company: Microsoft Corporation

description: NT Kernel & System

Bug check description: This indicates that invalid system memory has been referenced.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.