Blue screen

Problem signature
Problem Event Name: BlueScreen
Code: 50
Parameter 1: ffffd0014dc6a1b0
Parameter 2: 0
Parameter 3: fffff8017c75c4f4
Parameter 4: 1
OS version: 6_3_9600
Service Pack: 0_0
Product: 256_1
OS Version: 6.3.9600.2.0.0.256.48
Locale ID: 3081

Extra information about the problem
Bucket ID: AV_mvsync!unknown

It not always happen but usually happen at the first 5 minute of start windows and maybe a couple of hours later

It will show "Page fault in non-paged area"

I have checked the memory and disk, there is nothing wrong.  Who can help me?


  • Edited by samuel shao Tuesday, July 21, 2015 12:59 PM
July 21st, 2015 4:38am
https://onedrive.live.com/redir?resid=9242684070AE2264!105&authkey=!AFFDd_C7DspoM5c&ithint=file%2cdmp
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2015 9:34am
https://onedrive.live.com/redir?resid=9242684070AE2264!105&authkey=!AFFDd_C7DspoM5c&ithint=file%2cdmp
July 28th, 2015 9:35am
very nice of you. I have deleted a lot of software and update a lof drivers, The problem happens randonly. So I am not sure whether it has been fixed or not
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2015 9:37am

This was related to mvsync.sys  I can find little information about this driver so it may be malware.  I would run Malwarebytes and do a system file check

Please download the free version of Malwarebytes. Update it immediately.
Do a full system scan
Let us know the results at the end.

http://www.malwarebytes.org/products

Please run a system file check (SFC) & DISM (if necessary) if you are on win 8 or higher
All instructions are in our Wiki article below...
Should you have any questions please ask us.

 System file check (SFC) Scan and Repair System Files 

Microsoft (R) Windows Debugger Version 10.0.10166.9 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\zigza\Desktop\072815-18281-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*E:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*E:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.
Windows 8.1 Kernel Version 9600 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17736.amd64fre.winblue_r9.150322-1500
Machine Name:
Kernel base = 0xfffff803`cba77000 PsLoadedModuleList = 0xfffff803`cbd50850
Debug session time: Tue Jul 28 03:39:03.769 2015 (UTC - 4:00)
System Uptime: 0 days 0:01:10.504
Loading Kernel Symbols
...............................................................
................................................................
..................................................
Loading User Symbols
Loading unloaded module list
...........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {ffffd000e6fbe1b0, 0, fffff803cbbba4f4, 1}

*** WARNING: Unable to verify timestamp for mvsync.sys
*** ERROR: Module load completed but symbols could not be loaded for mvsync.sys

Could not read faulting driver name
Probably caused by : mvsync.sys ( mvsync+250b )

Followup:     MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffd000e6fbe1b0, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff803cbbba4f4, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000001, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

SYSTEM_SKU:  All

SYSTEM_VERSION:  System Version

BIOS_DATE:  05/15/2015

BASEBOARD_PRODUCT:  X99-DELUXE

BASEBOARD_VERSION:  Rev 1.xx

BUGCHECK_P1: ffffd000e6fbe1b0

BUGCHECK_P2: 0

BUGCHECK_P3: fffff803cbbba4f4

BUGCHECK_P4: 1

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff803cbdda138
GetUlongPtrFromAddress: unable to read from fffff803cbdda298
GetUlongPtrFromAddress: unable to read from fffff803cbdda520
 ffffd000e6fbe1b0 

FAULTING_IP: 
nt!output_l+338
fffff803`cbbba4f4 443800          cmp     byte ptr [rax],r8b

MM_INTERNAL_CODE:  1

CPU_COUNT: c

CPU_MHZ: ce2

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3f

CPU_STEPPING: 2

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  System

CURRENT_IRQL:  0

ANALYSIS_VERSION: 10.0.10166.9 amd64fre

TRAP_FRAME:  ffffd000e79ab390 -- (.trap 0xffffd000e79ab390)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffd000e6fbe1b0 rbx=0000000000000000 rcx=000000007ffffffe
rdx=0000000000000007 rsi=0000000000000000 rdi=0000000000000000
rip=fffff803cbbba4f4 rsp=ffffd000e79ab520 rbp=ffffd000e79ab620
 r8=0000000000000000  r9=ffffd000e79ab573 r10=00000000ffffffff
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
nt!output_l+0x338:
fffff803`cbbba4f4 443800          cmp     byte ptr [rax],r8b ds:ffffd000`e6fbe1b0=00
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff803cbbf716c to fffff803cbbc7ca0

STACK_TEXT:  
ffffd000`e79ab128 fffff803`cbbf716c : 00000000`00000050 ffffd000`e6fbe1b0 00000000`00000000 ffffd000`e79ab390 : nt!KeBugCheckEx
ffffd000`e79ab130 fffff803`cbaca839 : 00000000`00000000 ffffe000`da6d48c0 ffffd000`e79ab390 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x1efac
ffffd000`e79ab1d0 fffff803`cbbd1f2f : 00000000`00000000 ffffd000`e6fbe1b0 00000000`00000000 fffff800`5ad1bad8 : nt!MmAccessFault+0x769
ffffd000`e79ab390 fffff803`cbbba4f4 : ffffd000`e79ab78d 00000000`00000003 00000000`00000040 ffffe000`dd81f5d0 : nt!KiPageFault+0x12f
ffffd000`e79ab520 fffff803`cbbb6cc5 : ffffd000`e79ab820 fffff800`5a0d7ba1 00000000`000001ff ffffe000`dd44ef40 : nt!output_l+0x338
ffffd000`e79ab7e0 fffff803`cbbb6c49 : 00000000`000001ff fffff803`cbbcb07d 00000000`00000000 00000000`3c3023e6 : nt!vsnprintf_l+0x75
ffffd000`e79ab850 fffff800`5ad4850b : 00000000`00000000 fffff803`cbbcab36 fffff803`cba77000 00000000`00000000 : nt!vsnprintf+0x11
ffffd000`e79ab890 00000000`00000000 : fffff803`cbbcab36 fffff803`cba77000 00000000`00000000 00000000`00000089 : mvsync+0x250b


STACK_COMMAND:  kb

FOLLOWUP_IP: 
mvsync+250b
fffff800`5ad4850b ??              ???

SYMBOL_STACK_INDEX:  7

SYMBOL_NAME:  mvsync+250b

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: mvsync

IMAGE_NAME:  mvsync.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5265208f

BUCKET_ID_FUNC_OFFSET:  250b

FAILURE_BUCKET_ID:  AV_mvsync!Unknown_Function

BUCKET_ID:  AV_mvsync!Unknown_Function

PRIMARY_PROBLEM_CLASS:  AV_mvsync!Unknown_Function

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_mvsync!unknown_function

FAILURE_ID_HASH:  {80d8542a-8252-74e2-c4e9-0b220191ec61}

Followup:     MachineOwner
---------

2: kd> lmvm mvsync
Browse full module list
start             end                 module name
fffff800`5ad46000 fffff800`5ad63000   mvsync   T (no symbols)           
    Loaded symbol image file: mvsync.sys
    Image path: \SystemRoot\system32\DRIVERS\mvsync.sys
    Image name: mvsync.sys
    Browse all global symbols  functions  data
    Timestamp:        Mon Oct 21 08:39:43 2013 (5265208F)
    CheckSum:         0001788A
    ImageSize:        0001D000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4


July 28th, 2015 9:38am

I use <g class="gr_ gr_7 gr-alert gr_spell ContextualSpelling ins-del multiReplace" data-gr-id="7" id="7">malwarebytes</g> 2.1.8.1057 Thees is no threats be identified

I use SFC\scannow

Here is the result

Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>sfc /scannow Beginning system scan.  This process will take some time. Beginning verification phase of system scan. Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

What could I do next?

Free Windows Admin Tool Kit Click here and download it now
July 28th, 2015 8:53pm

rename mvsync.sys to mvsync.bak so it cannot load and see what objects

If you continue to crash upload the DMPS

July 28th, 2015 8:57pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics