BSOD on startup every day - Trying to identify specific causation

Question

Hi all,

For the past week or so I've been experiencing BSODs whenever I power on the computer first during the day; after we REACH the Windows splash screen, I have no further issues, even when restarting.

rom reviewing the Event Logs I can see one in there stating the following:

"The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly."
followed closely by:
"The driver \Driver\WudfRd failed to load for the device PCI\VEN_5853&DEV_1003\1&1a590e2c&0&03."

So far as far as causation goes, this is the only thing throwing flags, as I've successfully performed Windows Memory Diagnostics with no issues being found, system file checks with no corruption being found, and lastly checking in on the device manager and checking all tabs to ensure nothing in there is throwing errors. As far as I can tell, these issues began this week.

I know that this week I plugged in a new keyboard that is different to that of my old one, and in doing so I needed to download some more drivers for it, however I went from a Roccat Aimo 120 to a Roccat Aimo 100, to which the only real difference is the fact that the 100 doesn't have a hand wrest with the keyboard. Besides that, it doesn't appear any different specification wise, so I'm unclear on whether this is the cause. I also changed my power plan on the rig from Balanced to Performance, though I don't expect this to be the cause.

Originally I believed perhaps that drivers were the issue, however, now I'm not so sure.

To cut a long story short, I ran a bugcheck analysis using the Windows Debug tools which threw me the following:

12: kd> !analyze -v
***

    *
    Bugcheck Analysis *
    *

***

MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000041792, A corrupt PTE has been detected. Parameter 2 contains the address of
the PTE. Parameters 3/4 contain the low/high parts of the PTE.
Arg2: ffff83816716da08
Arg3: 0000800000000000
Arg4: 0000000000000000

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 3249

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 10478

Key : Analysis.Init.CPU.mSec
Value: 1249

Key : Analysis.Init.Elapsed.mSec
Value: 65592

Key : Analysis.Memory.CommitPeak.Mb
Value: 73

Key : MemoryManagement.PFN
Value: 800000000

Key : WER.OS.Branch
Value: vb_release

Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key : WER.OS.Version
Value: 10.0.19041.1


BUGCHECK_CODE: 1a

BUGCHECK_P1: 41792

BUGCHECK_P2: ffff83816716da08

BUGCHECK_P3: 800000000000

BUGCHECK_P4: 0

MEMORY_CORRUPTOR: ONE_BIT

BLACKBOXNTFS: 1 (!blackboxntfs)


CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: autochk.exe

STACK_TEXT:
ffff988d4679f388 fffff8054624423a : 000000000000001a 0000000000041792 ffff83816716da08 0000800000000000 : nt!KeBugCheckEx
ffff988d4679f390 fffff80546242a6f : ffff8688b7883700 0000000000000000 ffff868800000002 0000000000000000 : nt!MiDeleteVa+0x153a
ffff988d4679f490 fffff80546212c10 : 0000000000000001 ffff988d00000000 ffff8688b7883550 ffff8688b7910080 : nt!MiDeletePagablePteRange+0x48f
ffff988d4679f7a0 fffff80546252277 : 000000002ce2db4f 0000000000000000 ffff868800000000 fffff80500000000 : nt!MiDeleteVad+0x360
ffff988d4679f8b0 fffff805465f908c : ffff988d00000000 0000000000000000 ffff988d4679fa10 000002ce2db30000 : nt!MiFreeVadRange+0xa3
ffff988d4679f910 fffff805465f8b65 : 00007ff70784b980 000002ce44f49e50 ffff988d4679fad8 0000000000000000 : nt!MmFreeVirtualMemory+0x4ec
ffff988d4679fa60 fffff80546408bb8 : ffff8688b7910080 ffff868800000001 0000000000000000 ffff868800000000 : nt!NtFreeVirtualMemory+0x95
ffff988d4679fac0 00007ffa4676d134 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28
000000e2f757a4b8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffa`4676d134


MODULE_NAME: hardware

IMAGE_NAME: memory_corruption

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BIT

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {e3faf315-c3d0-81db-819a-6c43d23c63a7}

Followup: MachineOwner

I work in tech, but I am by no means a master, and to be frank, I don't know what I'm reading here. I can gather that it is telling me that there's something wrong with memory, in that it's seeing corruption, but other than that I'm honestly not too sure.

Here's the event log that prompted me finding these issues:

Event ID 1001

The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001a (0x0000000000041792, 0xffff83816716da08, 0x0000800000000000, 0x0000000000000000). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 15812135-3f48-42c4-b474-5b9fd5a5cf7e.

If there's any more information required, please don't hesitate to ask and I will do my best to gather it for you.

Answer 1

Hi Docs,

As per my last comment:

1) Turned on verifier -> Rebooted
2) Hit windows desktop splash screen -> Logged in -> regular BSOD
3) Rebooted -> Hit a verifier BSOD -> Restarted again
5) Hit advanced recovery -> CMD -> ran "verifier /reset" -> shut down -> Verifier BSOD
6) Rebooted again and received a regular BSOD -> Rebooted -> Loaded into advanced recovery
7) CMD -> ran "verifier /bootmode resetonbootfail" -> Rebooted -> Logged in and received a verifier
8) Rebooted -> Received verifier BSOD -> Rebooted -> Advanced recovery
9) System Restore -> Restored to the restore point I created

https://drive.google.com/file/d/1ml3738Q0JCpmhX22P5s2GVvTH5w8B0x9/view?usp=sharing
https://drive.google.com/file/d/1-52w2ZCb9Bmtlo0j4Bkf0b3vQAVPuMur/view?usp=sharing

In terms of getting myself to a point like you said, where I can review these and take action myself, what do you do once you receive those logs? I've got WinDbg installed, which I presume is what the Memory.DMP file goes into, what do you tend to look for inside the V2 logs? Any specific red flags?

Answer 2

Hi Docs,

BSOD from this morning:
https://drive.google.com/file/d/1PFypJyBdDnclKQkgCHqrPfbo5TUn6cAq/view?usp=sharing
https://drive.google.com/file/d/1xg7nYxEF23iGV19ZDvLQTgKR09rfLHDa/view?usp=sharing

On the back of your report that the drivers I uninstalled/reinstalled didn't seem to work and were still triggering, I've uploaded the following:
https://drive.google.com/drive/folders/1MM1hsJ7A01MhmiLnIyShCG_6Wdc9KN0H?usp=sharing

I uninstalled both, restarted and both of them were back there with no involvement from myself. I scanned for hardware changes again like I did last time, but from my understanding these drivers should not be automatically reinstalling on a reboot given that I instructed them to uninstall, could this be causing some issues?

Have uninstalled -> reinstalled Chipset drivers
Have updated Windows (Is now fully up to date inclusive of optional updates, one of which was a driver update)
Have checked Win Defender is on latest version (no updates to install)
Have uninstalled Citrix Software (Please note that I am going to have to install this again on Monday because I regularly make use of it in work as it's what we use to access our password vault to access our customer environments)

I have cleared my schedule in its entirety today, so I am with you until around the same time as yesterday.

I understand if you have to go a bit more hands off, I want to make this as easy as possible for you with both of our limited time, if there was a way I could compensate you for your efforts I would offer to do so, but I'm guessing that the MS Forum might not allow for it.

Answer 3

Hi Docs,

Further update after re-enabling WDV

1) In my haste to get these checks done ASAP I forgot to take a system restore point, so have had to re-do everything I did above (Win updates, driver reinstall etc etc)
2) Citrix is back, however it won't let me uninstall it anymore, it states: "The global document path cannot be retrieved" - I followed the filepath and it doesn't appear broken, as I was able to from the shortcut reach the portion that brings me to a folder that is Citrix related.

Steps taken prior to the system restore:

1) Turned on verifier -> Rebooted
2) Hit windows desktop splash screen -> Logged in -> regular BSOD
3) Rebooted -> Hit a regular BSOD -> Restarted again
5) Hit advanced recovery -> CMD -> ran "verifier /reset" -> shut down -> logged in -> regular BSOD
6) Rebooted again and received a regular BSOD on sign in -> Rebooted -> Loaded into advanced recovery
7) CMD -> ran "verifier /bootmode resetonbootfail" -> Rebooted -> Logged in and received a regular BSOD
8) Rebooted -> Received regular BSOD -> Rebooted -> Advanced recovery
9) System Restore -> Restored to the restore point I created

Crash dumps for your reference:

https://drive.google.com/file/d/1saIrtwcgHQByOpmMbko5CnTtI1DgFwfW/view?usp=sharing
https://drive.google.com/file/d/1NFB0wXQWkx8DdV_tmzGmdY0wGeKxuubn/view?usp=sharing

Answer 4

Hi Docs,

Apologies, forgot to upload the MB cleaner details as requested as well:

mbam-check result log version:     2.3.2.0
========================================

User Account type:                 Administrator
DomainComputer:                    No
OS:                                Windows 10  64 bit Operating System
Current Version and Build:         10.0.19043 OS Product Info: Home Edition


mbam-check result log version: 2.3.2.0

Date Log Created: 10/24/21
Time Log Created: 15:36:48


User Information for Local System:
===========================================
User Account: Administrator
    Account Level: Admin
User Account: DefaultAccount
    Account Level: Guest
User Account: Guest
    Account Level: Guest
User Account: WDAGUtilityAccount
    Account Level: Guest
User Account: Yeldur
    Account Level: Admin
Total # of user entries: 5

UAC Settings:
===================
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
    DWORD   1   Status: ON
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
    DWORD   5   Status: ON

AntiVirus Information:
===================
AntiVirus Software Installed:   "Windows Defender"

FireWall Information:
===================
NO 3rd Party Firewall Software Installed

AntiSpyware Information:
===================
NO AntiSpyware Software Installed

Machine Information
===============================================
Machine ID: 194b34cacc83dd7a868de627d8f48dce20febbf8
System has been up for:     1.31222 Hours
Current Date:   2021-Oct-24 14:36:49.028936
Date Booted:    2021-Oct-24 13:36:49.028936

Compatibility Flag Settings:
=================================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
    C:\Program Files (x86)\AMD\Chipset_IODrivers\Setup.exeREG_SZ        ~ WIN8RTM WIN7RTM
    C:\Users\Yeldur\Downloads\CitrixWorkspaceApp(1).exeREG_SZ       $ WinBlueRTM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\appCompatFlags\Layers
    SeaToolsforWindows.exe        REG_SZ        RUNASADMIN

Malwarebytes Anti-Malware Shell Extension Block Check:
======================================================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked:

MBAM Startup Entries: 
=====================
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Malwarebytes Anti-Malware Service and Driver Status:
=======================================================

--------------Driver File Info:--------------

--------------MBAMProtector:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMProtector
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A


--------------MBAMService:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMService
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A


--------------MBAMScheduler:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMScheduler
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A


--------------MBAMChameleon:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MBAMChameleon
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A


--------------MBAMWebAccessControl:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: MbamWebAccessControl
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A


Required Dependencies:
======================

--------------BFE:--------------
Type:                   N/A
State:                  0 <--CAN NOT OPEN SC_HANDLE, SERVICE IS NOT RUNNING FOR: BFE
WIN32_EXIT_CODE:        N/A
SERVICE_EXIT_CODE:      N/A
CHECKPOINT:             N/A
WAIT_HINT:              N/A


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE
    DependOnService               REG_MULTI_SZ  RpcSs

    Description                   REG_SZ        @%SystemRoot%\system32\bfe.dll,-1002
    DisplayName                   REG_SZ        @%SystemRoot%\system32\bfe.dll,-1001
    ErrorControl                  REG_DWORD     1
    FailureActions                REG_BINARY    Binary Data

    Group                         REG_SZ        NetworkProvider
    ImagePath                     REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
    ObjectName                    REG_SZ        NT AUTHORITY\LocalService
    RequiredPrivileges            REG_MULTI_SZ  SeAuditPrivilege

    ServiceSidType                REG_DWORD     3
    Start                         REG_DWORD     2
    SvcHostSplitDisable           REG_DWORD     1
    Type                          REG_DWORD     32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Parameters
    ServiceDll                    REG_EXPAND_SZ %SystemRoot%\System32\bfe.dll
    ServiceDllUnloadOnStop        REG_DWORD     1
    ServiceMain                   REG_SZ        BfeServiceMain

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE\Security
    Security                      REG_BINARY    Binary Data

--------------fltmgr:--------------
Type:                   2
State:                  4 (The service is running.) (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE:        0
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FltMgr
    AttachWhenLoaded              REG_DWORD     1
    Description                   REG_SZ        @%SystemRoot%\system32\drivers\fltmgr.sys,-10000
    DisplayName                   REG_SZ        @%SystemRoot%\system32\drivers\fltmgr.sys,-10001
    ErrorControl                  REG_DWORD     3
    Group                         REG_SZ        FSFilter Infrastructure
    ImagePath                     REG_EXPAND_SZ system32\drivers\fltmgr.sys
    Start                         REG_DWORD     0
    Tag                           REG_DWORD     1
    Type                          REG_DWORD     2


C:\WINDOWS\system32\drivers\fltmgr.sys
File Size: 435000    BYTES  FileVersion: 6.2.19041.1151 MD5: [9513d254a2f84527ebff58cbb6a66f18]
C:\WINDOWS\SysWOW64\olepro32.dll
File Size: 88576     BYTES  FileVersion: 6.2.19041.84   MD5: [c6575e5e95754390a7ce8be0a66a3735]


MBAM Registry Settings and License Info:
========================================





Scheduler Queue:
================


Pending File Rename Operations: 
================================
If any Malwarebytes Anti-Malware items are listed below, the user must reboot to complete a Malwarebytes Anti-Malware upgrade installation.

MBAMProtector Registry Values:
==============================



MBAMService Registry Values:
============================



MBAMScheduler Registry Values:
==============================



Terminal Services Status for (null) entries in PM logs and GetUserToken errors:
===============================================================================

--------------TERMService:--------------
Type:                   32
State:                  1 (The service is not running.) (State is stopped)
WIN32_EXIT_CODE:        1077
SERVICE_EXIT_CODE:      0
CHECKPOINT:             0
WAIT_HINT:              0


TermService Start is set to: 3 (Manual Startup)

Proxy Status: No proxy is Set

LAN Settings:
=============

only 'Automatically detect settings' is selected

SystemPartition:
================

HKEY_LOCAL_MACHINE\SYSTEM\Setup\
    SystemPartition REG_SZ      \Device\HarddiskVolume2

Balloon Tips Status:
====================

Enabled

Time Format Settings:
=====================

Should be:
        h:mm:ss tt
        AM 
        PM 
        :

Currently:
REG_SZ      HH:mm:ss
REG_SZ      AM
REG_SZ      PM
REG_SZ      :

Language and Regional Settings:
===============================

ACP:    Language is English (United States)
MACCP:  Language is English (United States)
OEMCP:  Language is English (United States)

Startup Folders for Error_Expanding_Variables Check:
====================================================

All Users Startup Folder Exists.
Current User's Startup Folder Exists.



MBAM DLL's and Runtime Files:
=============================




MBAM Registry Settings and License Info (part 2):
==================================================



Context Menu Entries:
=====================



List of MBAM Related Directories:
=================================

===============================================================
END OF FILE

Answer 5

What's the current status?

See if you can download and install Citrix now followed by an uninstallation.

Place a support ticket in the Citrix forums for their method to best clean and reinstall their software and drivers.

https://www.citrix.com/community/
https://discussions.citrix.com/topic/385775-citrix-receiver-47-bluescreen-ctxusbmsys/

The memory dumps are downloading.

.
.
.
.
.
Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post: Vote = a helpful post
.
.
.
.
.