We experience irregular BSODs in a large environment on a total of a manageable but not irrelevant amount of windows 10 systems. here, the exact windows 10 version as well as the hardware is diverse, except for the perhaps unimportant feature that all systems are notebooks and based on intel cpus.
The aforementioned BSODs occur shortly after a user has logged in. The system must be restarted. Unfortunately, these BSODs have an effect on third-party software on this system in certain unknown time dependencies. Manual rework is then necessary.
After some analysis of the memory dumps, it is found that different processes appear as triggers in WinDBG !analyze. The common feature is that PAGE FAULT IN NONPAGED AREA BSOD occur frequently.
Now the debug level for the memory dumps was increased with the help of the WIndows own "verifier" software. On closer analysis it is noticeable that the corresponding "trigger executables" always try to call the windows api function "ntquerysysteminformation", which ends in a BSODs.
In the other Windows events no special events are noticeable in this period. Only the event 219 "failed to load driver" was seen, which COULD have something to do with the problem due to the time frame. An attempt is made to load a driver for a component of the Intel CPU "Intel(R) Dynamic Platform and Thermal Framework Processor Participant". The event occurs only once and according to the Windows documentation would only lead to problems if this occurs more often.
The problem cannot be provoked and seems to occur randomly. A driver problem is suspected. However, even with the notebook manufacturer's own driver update software, the problem does not disappear. The version of the "Intel(R) Dynamic Platform and Thermal Framework Processor Participant" driver is very diverse throughout the environment.
We are just not getting anywhere with this complex problem. What analysis measures can be used to further determine or narrow down the problem?
What is the best way to proceed?
Who has read this long text up to here, many thanks in advance.
edit:
For analysis of this file, run !analyze -v
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fffffffffffffffc, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8073a83e8c5, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
*** WARNING: Unable to verify timestamp for win32k.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 3218
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 33655
Key : Analysis.Init.CPU.mSec
Value: 1030
Key : Analysis.Init.Elapsed.mSec
Value: 8674
Key : Analysis.Memory.CommitPeak.Mb
Value: 105
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 50
BUGCHECK_P1: fffffffffffffffc
BUGCHECK_P2: 0
BUGCHECK_P3: fffff8073a83e8c5
BUGCHECK_P4: 2
READ_ADDRESS: fffff8073aefb390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
unable to get nt!MmSpecialPagesInUse
fffffffffffffffc
MM_INTERNAL_CODE: 2
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: Registry
TRAP_FRAME: ffffb809b8a06b70 -- (.trap 0xffffb809b8a06b70)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=ffff850447e7c99c rsi=0000000000000000 rdi=0000000000000000
rip=fffff8073a83e8c5 rsp=ffffb809b8a06d00 rbp=0000000000000530
r8=00000000ffff8c04 r9=ffffb809b8a06d80 r10=0000000080472870
r11=0000000000000870 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po cy
nt!CmpFindMatchingDescriptorCell+0x5d:
fffff807`3a83e8c5 44397b04 cmp dword ptr [rbx+4],r15d ds:00000000`00000004=????????
Resetting default scope
STACK_TEXT:
ffffb809`b8a068c8 fffff807`3a64a56f : 00000000`00000050 ffffffff`fffffffc 00000000`00000000 ffffb809`b8a06b70 : nt!KeBugCheckEx
ffffb809`b8a068d0 fffff807`3a49f390 : 00000000`0000000c 00000000`00000000 ffffb809`b8a06bf0 00000000`00000000 : nt!MiSystemFault+0x18d1bf
ffffb809`b8a069d0 fffff807`3a60545e : ffff8504`3823e9f0 00000000`00000000 00000000`00000000 ffff8504`4d14f9b0 : nt!MmAccessFault+0x400
ffffb809`b8a06b70 fffff807`3a83e8c5 : ffff8504`47e7c8c0 ffff8504`45567874 ffffb809`b8a06da0 fffff807`3aa7888c : nt!KiPageFault+0x35e
ffffb809`b8a06d00 fffff807`3a83e737 : ffff8504`38e27000 ffffb809`b8a06da0 ffff8504`00000001 00000000`80472870 : nt!CmpFindMatchingDescriptorCell+0x5d
ffffb809`b8a06d50 fffff807`3aa6e432 : 00000000`00000001 00000000`00000000 ffff8504`45567874 ffffb809`b8a077a0 : nt!CmpGetSecurityDescriptorNode+0x73
ffffb809`b8a06db0 fffff807`3a89d47a : ffffbc06`d3af4380 00000000`00000000 00000000`00000000 fffff807`00000000 : nt!CmpAssignSecurityDescriptor+0x1a
ffffb809`b8a06df0 fffff807`3a7f00df : ffffb809`b8a07080 ffff8504`4c0f7901 ffffbc07`09057a30 ffffb809`b8a07120 : nt!CmpCreateChild+0x482
ffffb809`b8a06f20 fffff807`3a7ee323 : 00000001`0000001a ffffb809`b8a07270 ffffb809`b8a07228 ffffbc07`09057a30 : nt!CmpDoParseKey+0xeef
ffffb809`b8a071c0 fffff807`3a7f23ee : fffff807`3a7ee001 00000000`00000000 ffffbc07`09057a30 00000000`00000001 : nt!CmpParseKey+0x2c3
ffffb809`b8a07360 fffff807`3a8948aa : ffffbc07`09057a00 ffffb809`b8a075c8 ffffbc07`00000040 ffffbc06`d3af4380 : nt!ObpLookupObjectName+0x3fe
ffffb809`b8a07530 fffff807`3a89468c : ffffbc07`00000000 00000000`00000000 0000005b`164fcff8 ffffbc06`d3af4380 : nt!ObOpenObjectByNameEx+0x1fa
ffffb809`b8a07660 fffff807`3a8523f9 : 00000000`00000000 ffffb809`b8a07a80 0000005b`164fcc08 fffff807`3a7f5f00 : nt!ObOpenObjectByName+0x5c
ffffb809`b8a076b0 fffff807`3a851f9e : ffffe7f9`379fea79 00000000`00000000 00000000`00000000 0000005b`164fcbf8 : nt!CmCreateKey+0x449
ffffb809`b8a07940 fffff807`3a608cb5 : 00000000`00000000 00007ffc`99730000 00000000`00000000 0000005b`164fd008 : nt!NtCreateKey+0x2e
ffffb809`b8a07990 00007ffc`9bd0d114 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
0000005b`164fcb98 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`9bd0d114
SYMBOL_NAME: nt!CmpFindMatchingDescriptorCell+5d
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.1348
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 5d
FAILURE_BUCKET_ID: AV_R_INVALID_nt!CmpFindMatchingDescriptorCell
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {b79bba7b-0721-75dc-5e27-364764c5c333}
Followup: MachineOwner
