Jump to content
jsac

Windows has recovered from an unexpected shutdown

Recommended Posts

This appears once every other week or so:  "Windows has recovered from an unexpected shutdown."  I came up to the laptop, and it was restarting, but no one had been on it.  When I clicked on the internet icon that was a frozen circle, it said "Windows explorer has stopped working".  I clicked for a solution, and the main screen reloaded.  Then the window "Windows has recovered from an unexpected shutdown" appeared.

perfmon.zip

SysnativeFileCollectionApp.zip

Share this post


Link to post
Share on other sites

I neglected to mention that I was helped by Kevin for another issue with this computer under "Windows Malware Removal Help and Support" that has been resolved.

Share this post


Link to post
Share on other sites

Only 232 Windows Update hotfixes installed.  Most systems with SP1 have 350-400 or more.  Please visit Windows Update and get ALL available updates (it may take several trips to get them all).
The actual number is not important.  Rather it's important that you checked manually, installed any available updates, and didn't experience any errors when checking or updating.

Unfortunately, I'm not able to open the MSINFO32 report.  This sometimes happens when using different languaged (I use US English)
You can try generating it again and then zip and upload it to see if that helps

The memory dump doesn't show much.  I'd suggest running Driver Verifier according to these instructions:  https://www.carrona.org/verifier.html

The following is for information purposes only.
The following information contains the relevant information from the blue screen analysis:

**************************Tue Nov 27 19:56:46.014 2018 (UTC - 5:00)**************************


Loading Dump File [C:\Users\john\SysnativeBSODApps\112718-77033-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Built by: 7601.24291.amd64fre.win7sp1_ldr_escrow.181110-1429
System Uptime:0 days 3:43:22.027
Probably caused by :ntkrnlmp.exe ( nt!KiSwapContext+7a )
BugCheck 1000009F, {4, 258, fffffa8006d14040, fffff80000b9c520}
BugCheck Info: DRIVER_POWER_STATE_FAILURE (9f)
Arguments:
Arg1: 0000000000000004, The power transition timed out waiting to synchronize with the Pnp
    subsystem.
Arg2: 0000000000000258, Timeout in seconds.
Arg3: fffffa8006d14040, The thread currently holding on to the Pnp lock.
Arg4: fffff80000b9c520, nt!TRIAGE_9F_PNP on Win7 and higher
BUGCHECK_STR:  0x9F
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
PROCESS_NAME:  System
FAILURE_BUCKET_ID: X64_0x9F_4_nt!KiSwapContext+7a
CPUID:        "Genuine Intel(R) CPU           U4100  @ 1.30GHz"
MaxSpeed:     1300
CurrentSpeed: 1296
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``

Share this post


Link to post
Share on other sites

I searched manually for updates several times.  Several installed including (which I have opted not to install in the past) optional updates.  The exception was one titled HP USB - 12-15-2017 - 44.3.3601.17339.  It said Update Failed with error code 800F020B.  After updating, each time I tried to open the browser, it said This Page Cannot be Displayed - when I logged off and back on, I accessed the internet fine.  Also, I have attached a new copy of the zip file I think you were referring to - hopefully, you can open it.  As to www.carrona.org, I have created a System Repair Disk, and I tested it by attempting to boot from it, and I was able to do so, up to the screen with all of the options including System Restore, Command Prompt, etc.  But do I really want to intentionally stress - and crash - this computer?  Seems a bit of an extreme measure.  Let me know.

perfmon.zip

Share this post


Link to post
Share on other sites

The perfmon report isn't the one that I'd like to see, rather it's the MSINFO32 report

Go to the Run dialog (Win and R keys) and type in MSINFO32

When the report opens, click File...SaVE as and save as an NFO file

Zip that report up and upload it with your next post


As for Driver Verifier, the current dump file doesn't point to a particular driver, rather it blames the operating system.

If it was the operating system that had a problem, you'd be experiencing more problems than just the occasional BSOD.

 

The biggest danger of Driver Verifier is losing what you were working on when it crashes.
That can't be helped if you want to have a better shot at locating the problem driver

The other way to do this would be to try a clean install of Windows
this would wipe out everything on the computer
A clean install would tend to rule out 3rd party dirvers and Windows - so if the problem continued then, it'd be due to hardware

Share this post


Link to post
Share on other sites

Ok, I've attached the file you requested.  Hopefully, you can read it ok.  As to Driver Verifier, I'll make copies of what little I'm storing on this computer, and then probably run it. 

System Info 11-30-18.zip

Share this post


Link to post
Share on other sites

I just ran Driver Verifier, according to the instructions (as best I could) from the web page you suggested.  Computer crashed about 90 seconds after the main screen appeared, then rebooted, then crashed again, then rebooted.  After the 3rd crash, I rebooted in Safe Mode and found a Minidump file that I have attached.  I then turned DV off in Safe Mode and did a regular reboot.  I have more info if you need it.

Minidump.zip

Share this post


Link to post
Share on other sites

I'm late for work right now - but will try to get to this this afternoon (East coast of the US).

Am running the minidumps while I'm in the shower.....

Share this post


Link to post
Share on other sites

Sorry, but life interfered :(  I had to work overtime yesterday, and when I got home I just collapsed!

The good news is that the memory dumps blame narcpi_wfp.sys - which is a driver named NARC Packet Informant (WFP)  and is from a company named Content Watch  https://www.contentwatch.com/

Most cases that I was able to find about this related to a program called Net Nanny, but they could also use that driver in other similar products that they provide.
Do you have such a program on your computer?  If so, please uninstall it and test to see if that stops the BOSD's (with Driver Verifier).

If it doesn't BSOD anymore, then please turn Driver Verifier off
To do this, open up verifier.exe and select "Delete existing settings:, then click on "Finish" in the lower right
Then reboot for the setttings to take effect.

If it doesn't stop it, please post back and I'll provide detailed instructions for manually removing the driver.

Again, I'm sorry for not getting back to you when I promised.  Good luck!

Analysis:
The following is for information purposes only.
The following information contains the relevant information from the blue screen analysis:
**************************Fri Nov 30 16:31:25.729 2018 (UTC - 5:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\113018-19687-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Built by: 7601.24291.amd64fre.win7sp1_ldr_escrow.181110-1429
System Uptime:0 days 0:03:12.758
*** WARNING: Unable to verify timestamp for narcpi_wfp.sys
*** ERROR: Module load completed but symbols could not be loaded for narcpi_wfp.sys
Probably caused by :narcpi_wfp.sys ( narcpi_wfp+42e5 )
BugCheck C4, {f6, 3e4, fffffa8009fa9620, fffff880039182e5}
BugCheck Info: DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
Arguments:
Arg1: 00000000000000f6, Referencing user handle as KernelMode.
Arg2: 00000000000003e4, Handle value being referenced.
Arg3: fffffa8009fa9620, Address of the current process.
Arg4: fffff880039182e5, Address inside the driver that is performing the incorrect reference.
BUGCHECK_STR:  0xc4_f6
PROCESS_NAME:  mbamtray.exe
FAILURE_BUCKET_ID: X64_0xc4_f6_VRF_narcpi_wfp+42e5
CPUID:        "Genuine Intel(R) CPU           U4100  @ 1.30GHz"
MaxSpeed:     1300
CurrentSpeed: 1296
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Fri Nov 30 16:27:44.475 2018 (UTC - 5:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\113018-21777-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Built by: 7601.24291.amd64fre.win7sp1_ldr_escrow.181110-1429
System Uptime:0 days 0:03:07.520
*** WARNING: Unable to verify timestamp for narcpi_wfp.sys
*** ERROR: Module load completed but symbols could not be loaded for narcpi_wfp.sys
Probably caused by :narcpi_wfp.sys ( narcpi_wfp+42e5 )
BugCheck C4, {f6, 3dc, fffffa800851ab00, fffff880035602e5}
BugCheck Info: DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
Arguments:
Arg1: 00000000000000f6, Referencing user handle as KernelMode.
Arg2: 00000000000003dc, Handle value being referenced.
Arg3: fffffa800851ab00, Address of the current process.
Arg4: fffff880035602e5, Address inside the driver that is performing the incorrect reference.
BUGCHECK_STR:  0xc4_f6
PROCESS_NAME:  mbamtray.exe
FAILURE_BUCKET_ID: X64_0xc4_f6_VRF_narcpi_wfp+42e5
CPUID:        "Genuine Intel(R) CPU           U4100  @ 1.30GHz"
MaxSpeed:     1300
CurrentSpeed: 1296
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Fri Nov 30 16:24:01.796 2018 (UTC - 5:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\113018-22464-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Built by: 7601.24291.amd64fre.win7sp1_ldr_escrow.181110-1429
System Uptime:0 days 0:02:44.715
*** WARNING: Unable to verify timestamp for narcpi_wfp.sys
*** ERROR: Module load completed but symbols could not be loaded for narcpi_wfp.sys
Probably caused by :narcpi_wfp.sys ( narcpi_wfp+42e5 )
BugCheck C4, {f6, 3c8, fffffa8007ba4b00, fffff880026762e5}
BugCheck Info: DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
Arguments:
Arg1: 00000000000000f6, Referencing user handle as KernelMode.
Arg2: 00000000000003c8, Handle value being referenced.
Arg3: fffffa8007ba4b00, Address of the current process.
Arg4: fffff880026762e5, Address inside the driver that is performing the incorrect reference.
BUGCHECK_STR:  0xc4_f6
PROCESS_NAME:  mbamtray.exe
FAILURE_BUCKET_ID: X64_0xc4_f6_VRF_narcpi_wfp+42e5
CPUID:        "Genuine Intel(R) CPU           U4100  @ 1.30GHz"
MaxSpeed:     1300
CurrentSpeed: 1296
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Tue Nov 27 19:56:46.014 2018 (UTC - 5:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\112718-77033-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Built by: 7601.24291.amd64fre.win7sp1_ldr_escrow.181110-1429
System Uptime:0 days 3:43:22.027
Probably caused by :ntkrnlmp.exe ( nt!KiSwapContext+7a )
BugCheck 1000009F, {4, 258, fffffa8006d14040, fffff80000b9c520}
BugCheck Info: DRIVER_POWER_STATE_FAILURE (9f)
Arguments:
Arg1: 0000000000000004, The power transition timed out waiting to synchronize with the Pnp
    subsystem.
Arg2: 0000000000000258, Timeout in seconds.
Arg3: fffffa8006d14040, The thread currently holding on to the Pnp lock.
Arg4: fffff80000b9c520, nt!TRIAGE_9F_PNP on Win7 and higher
BUGCHECK_STR:  0x9F
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
PROCESS_NAME:  System
FAILURE_BUCKET_ID: X64_0x9F_4_nt!KiSwapContext+7a
CPUID:        "Genuine Intel(R) CPU           U4100  @ 1.30GHz"
MaxSpeed:     1300
CurrentSpeed: 1296
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
 


3rd Party Drivers:
The following is for information purposes only.
My recommendations were given above. The drivers that follow belong to software or devices that were not developed by Microsoft.  You can find links to the driver information and where to update the drivers in the section after the code box:
**************************Fri Nov 30 16:31:25.729 2018 (UTC - 5:00)**************************
bcmwl664.sys                Tue Jul  7 20:45:04 2009 (4A53EC10)
amdxata.sys                 Fri Mar 19 12:18:18 2010 (4BA3A3CA)
igdkmd64.sys                Fri Feb 11 14:16:32 2011 (4D558B10)
Rt64win7.sys                Fri Jun 10 02:33:15 2011 (4DF1BAAB)
GEARAspiWDM.sys             Thu May  3 15:56:17 2012 (4FA2E2E1)
narcpi_wfp.sys              Mon Feb 29 14:39:47 2016 (56D49E83)
MpFilter.sys                Mon Aug  8 19:01:17 2016 (57A90F3D)
mbamswissarmy.sys           Wed Sep 26 09:20:26 2018 (5BAB879A)
intelppm.sys                Sat Nov 10 19:43:12 2018 (5BE77B20)
 


http://www.carrona.org/drivers/driver.php?id=bcmwl664.sys
http://www.carrona.org/drivers/driver.php?id=amdxata.sys
http://www.carrona.org/drivers/driver.php?id=igdkmd64.sys
http://www.carrona.org/drivers/driver.php?id=Rt64win7.sys
http://www.carrona.org/drivers/driver.php?id=GEARAspiWDM.sys
narcpi_wfp.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=MpFilter.sys
http://www.carrona.org/drivers/driver.php?id=mbamswissarmy.sys
http://www.carrona.org/drivers/driver.php?id=intelppm.sys

 

 

 

Share this post


Link to post
Share on other sites

No problem with your delay in getting back to me!  I appreciate your help!  Yes, I do have Net Nanny installed - a very good filter, but I'll uninstall it and then run DV to see if I get any more BSOD's.  Then to stop DV, I'll do as you suggest.  Last time, I stopped it from Safe Mode.  Question:  when I run DV, how long should I leave it running to see if I get a BSOD?  When I ran it before, the BSOD occurred within about 90 seconds of the main screen appearing.

I won't uninstall Net Nanny and run DV till tomorrow.  I want to contact Net Nanny and let them know of the problem - can't do that till tomorrow afternoon.

Thanks again for your help.

Jeff

Share this post


Link to post
Share on other sites

There's no real exact answer for how long Driver Verifier should run.
I suggest 36 hours - but that's just so I can be sure that any tasks that run daily will be active during that time.

The driver can have several problems:
- it can become corrupted - causing the BSOD
- it can conflict with Windows - causing the BSOD
- it can conflict with other (non-Windows) drivers - causing the BSOD.
- it can be sound (no problem), but another driver can cause it to crash - causing the BSOD

Uninstalling is just to test.  You can feel free to reinstall after testing.
Then, if the problem doesn't come back - then it was a corruption that caused the problem (and you fixed it by reinstalling).
 

Share this post


Link to post
Share on other sites

Thanks for the info about DV.  I'm planning to uninstall Net Nanny, and run DV starting late this afternoon.  36 hours will take it to Tuesday morning - I'll have a new minidump file to send you by then.

Jeff

Share this post


Link to post
Share on other sites

It's been running for about an hour.  What power setting options should I use?  I have it set to dim the display in 10 min, never to turn off the display, and never to put the computer to sleep.

Jeff

Share this post


Link to post
Share on other sites

The longer you leave it powered on, the longeer it's likely to find a glitch.
that being said, there's also something to be said for running the ysstem as you normally would - as that may be more likely to trigger a problem.

If the NetNanny driver is no longer in memory, the chances are good that it won't BSOD, but...remember the possibilities I mentioned above:
The driver can have several problems:
- it can become corrupted - causing the BSOD
- it can conflict with Windows - causing the BSOD
- it can conflict with other (non-Windows) drivers - causing the BSOD.
- it can be sound (no problem), but another driver can cause it to crash - causing the BSOD

So, it's possible (but not real likely) that the Driver Verifier could point out another driver problem.
So, we wait and see.......

Good luck!

Share this post


Link to post
Share on other sites

I've finished the 36 hours with Driver Verifier running.  I looked under the Windows folder but I didn't find a Minidump file or any kind of memory dump file.  So I'm not sure if I have anything to send you.

Jeff

Share this post


Link to post
Share on other sites

If the system didn't crash, then there won't be anything in the Minidump folder

In that case, just turn Driver Verifier off.
If you'd like, you can reinstall Net Nanny and see if the BSOD's are gone for good.

Good luck!

Share this post


Link to post
Share on other sites

I did a new download of Net Nanny and installed it.  I haven't run DV but the computer is running much more smoothly now, and web pages are loading faster.  Thanks for your help!

Share this post


Link to post
Share on other sites

No need to run DV unless you're getting BSOD's

Just see if Net Nanny works w/o problems.

Share this post


Link to post
Share on other sites

I'm not having any more BSOD's at this point.  And since I reinstalled Net Nanny, page loads are faster and the computer is running more smoothly.  Thanks so much, John, for your help.  I wish you all the best.

Jeff

Share this post


Link to post
Share on other sites

Glad to hear it.  Thanks for the kind words!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.