Need help with Win 7 mrxsmb.sys BSOD.

Darn, I forgot to attach it.:-o

Kevin

 

I see nothing new there so I snipped a section from the stack text, afd!WskProTLConnectComplete, and did a Google search for it, it came up with just 2 hits, this thread and one other - another 0x44 BSOD on W7 that happens "running webroot security scanner".

It proves nothing at all but it could give more credence to it being security App related.

 

OK, day one after replacing all norton stuff with Avast and Windows firewall.:-D
Was writing the first version of this note, and it BSODed in the middle of it.
Seems the same as last one. The only difference is that instead of mrxsmb.sys +8 it's now like the last one, mrxsmb.sys +87c7.:confused

Anyway, will try removing a few more things. I was wondering about Deskscapes 3. It has the ability to kill the moving wallpaper at times.(I think when it's not visible, but not sure of all the times it does this.)
Past that, I have few ideas.
Could the Synology NAS cause this in anyway? It's on the network, but the only real connection is that it is mounted as Z drive in two of the user accounts.
I may try one more round of deletions, then the only other thing I can think of is to reload Acronis, and do a complete image of the drive, then format the C: partition and reload just windows and maybe outlook. If it crashed then it's something hardware I would think, if not, I guess we start loading things back. (leaving out stuff that's colected over the year that we don't need.)

I can only have it down so long to do this, but I figure I can reload the image back after I determine if it's hardware or software, until I have time to do the whole fresh reload etc. (still hoping for that SSD in a month or so rolleyes)

By the way, another stupid thought. Could the setting in bios that lets the MB either designate IRQs etc. or the OS have any effect on this?
A while back (don't know when in relation to the BSODs), after updating the Bios I noticed it was set to have the MD do it, so I set it to the OS.

More straws to grasp at I guess.

Kevin

 

To test whether it's related to the NAS, unmount it from one of the accounts and test for a few days solely from that account?

Logitech software is still installed, perhaps roll back the mouse/keyboard drivers to the Windows defaults then uninstall the Logitech software?

I usually set the OS to take charge of the IRQ's, you could try it the other way.

You did use the Symantec uninstall tool to ensure all the dregs were removed, yes?

I know nothing of Deskscapes and I don't see any obvious signs of it in the dumps.

I should be back online in 2-3 hours, could you upload the last dump so I can check it over please?

 

Maybe I will unmount the NAS from both accounts just to see.

Yes I used the norton uninstaller, though I had to manually(add/remove plus one reg delete) uninstall norton utilities 14 first, before it would run.

Was thinking of trying to find another drive and load just windows for a few days to see if I have the problem, but then figured there is always a slight chance that it could be hard drive related, so best option would be to try just windows with this hard drive.

Kevin

 

If I reload W7, how long do they give you ti avtivate it?
I don't want to actually do that because I don't want to run into a bunch of problems with reloading it and activating it 2 or 3 times while testing this out.

Am I right in assuming that if I don't activate it, it doesn't show up on their radar as an install?

That way, when I do the SSD install, I won't have anyproblems.

Kevin

 

Aside from standard Windows drivers, I don't see anything now that I think might be causing this error. I haven't seen anything that makes me think it could be malware.

Code:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 44, {fffffa8004393d90, 1d7b, 0, 0}

Probably caused by : mrxsmb.sys ( mrxsmb!RxCeCompleteConnectRequest+367 )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

MULTIPLE_IRP_COMPLETE_REQUESTS (44)
A driver has requested that an IRP be completed (IoCompleteRequest()), but
the packet has already been completed.  This is a tough bug to find because
the easiest case, a driver actually attempted to complete its own packet
twice, is generally not what happened.  Rather, two separate drivers each
believe that they own the packet, and each attempts to complete it.  The
first actually works, and the second fails.  Tracking down which drivers
in the system actually did this is difficult, generally because the trails
of the first driver have been covered by the second.  However, the driver
stack for the current request can be found by examining the DeviceObject
fields in each of the stack locations.
Arguments:
Arg1: fffffa8004393d90, Address of the IRP
Arg2: 0000000000001d7b
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


IRP_ADDRESS:  fffffa8004393d90

FOLLOWUP_IP: 
mrxsmb!RxCeCompleteConnectRequest+367
fffff880`07b807c7 33d2            xor     edx,edx

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x44

PROCESS_NAME:  System

CURRENT_IRQL:  2

DEVICE_OBJECT: fffffa8004b0da40

LAST_CONTROL_TRANSFER:  from fffff8000327a8bc to fffff800032d3640

STACK_TEXT:  
fffff880`02f8a168 fffff800`0327a8bc : 00000000`00000044 fffffa80`04393d90 00000000`00001d7b 00000000`00000000 : nt!KeBugCheckEx
fffff880`02f8a170 fffff880`07b807c7 : fffffa80`03c7cb40 fffffa80`03c7cb40 fffffa80`04a2d850 fffffa80`03c7cb40 : nt! ?? ::FNODOBFM::`string'+0x32c7c
fffff880`02f8a1b0 fffff880`07b8249e : 00000000`00000000 00000000`00000702 fffffa80`03f7bd08 00000000`00000006 : mrxsmb!RxCeCompleteConnectRequest+0x367
fffff880`02f8a230 fffff880`07b8237c : 00000000`00000000 fffffa80`03f7bd08 00000000`63437852 00000000`00000706 : mrxsmb!SmbWskAsynchronousConnectCompletionWorker+0x106
fffff880`02f8a2d0 fffff800`032d6a91 : fffffa80`068d87d3 fffffa80`0463790c 00000000`00000000 fffff880`02f8a168 : mrxsmb!SmbWskAsynchronousConnectCompletion+0xb8
fffff880`02f8a320 fffff880`040689a5 : 00000000`00000000 00000000`e0000002 fffffa80`068d8700 00000000`00000000 : nt!IopfCompleteRequest+0x3b1
fffff880`02f8a400 fffff880`040d1b2e : 00000000`00000003 fffffa80`066b22d0 fffffa80`06876b60 fffffa80`063bb400 : afd!WskProTLConnectComplete+0x105
fffff880`02f8a4c0 fffff880`040d1c5b : fffffa80`04a048e0 00000000`00000003 00000000`00000000 fffffa80`000005a7 : afd!WskTdiConnectFinish+0x3e
fffff880`02f8a4f0 fffff800`032d6a91 : fffffa80`066b2433 00000000`00000003 fffffa80`04b81dd0 00000000`00000000 : afd!WskTdiCOMPConnect+0x1b
fffff880`02f8a520 fffff880`00c93a7a : 00000000`00000001 fffffa80`03ea8a02 fffffa80`05b1f9a0 00000000`00000000 : nt!IopfCompleteRequest+0x3b1
fffff880`02f8a600 fffff880`0168fa23 : 00000000`000000c0 fffffa80`04750210 fffffa80`0681d620 00000000`00000000 : tdx!TdxConnectConnectionTlRequestComplete+0xfa
fffff880`02f8a680 fffff880`0168ac21 : 00000000`00000011 fffffa80`0681d620 00000000`00000001 fffff800`032d9a3a : tcpip!TcpCreateAndConnectTcbComplete+0x233
fffff880`02f8a790 fffff880`01678d54 : 00000000`00000000 fffff880`0166414c fffffa80`0598d410 fffffa80`0595a410 : tcpip!TcpTcbCarefulDatagram+0x801
fffff880`02f8a940 fffff880`016775ea : fffffa80`0462aa60 fffff880`0166fa00 fffffa80`04608801 00000000`00000000 : tcpip!TcpTcbReceive+0x724
fffff880`02f8ab30 fffff880`016792ab : fffff880`05ee9f22 fffffa80`0476b000 00000000`00000000 00000000`00000000 : tcpip!TcpMatchReceive+0x1fa
fffff880`02f8ac80 fffff880`01670137 : fffffa80`0462aa60 fffffa80`0462bd90 fffffa80`00007cc2 00000000`00000000 : tcpip!TcpPreValidatedReceive+0x36b
fffff880`02f8ad50 fffff880`0166fcaa : 00000000`00000000 fffff880`017849a0 fffff880`02f8af10 fffffa80`0588e000 : tcpip!IppDeliverListToProtocol+0x97
fffff880`02f8ae10 fffff880`0166f2a9 : 00000015`00000004 03006003`0000000b fffff880`00000000 fffff880`02f8af00 : tcpip!IppProcessDeliverList+0x5a
fffff880`02f8aeb0 fffff880`0166cfff : 00000000`00000000 fffffa80`0476b000 fffff880`017849a0 00000000`04eed801 : tcpip!IppReceiveHeaderBatch+0x23a
fffff880`02f8af90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!IpFlcReceivePackets+0x64f


STACK_COMMAND:  kb

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  mrxsmb!RxCeCompleteConnectRequest+367

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: mrxsmb

IMAGE_NAME:  mrxsmb.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4d649376

FAILURE_BUCKET_ID:  X64_0x44_mrxsmb!RxCeCompleteConnectRequest+367

BUCKET_ID:  X64_0x44_mrxsmb!RxCeCompleteConnectRequest+367

Followup: MachineOwner
---------

I think you get 30 or 90 days to run W7 as a 'trial' but it can be extended 2x. If you use the default key - built into the install, iirc, then your key doesn't get used. I may be off track though - don't bank on it

 

Well, it did it again.
Seem to be getting more frequent.
Still wondering in the back of my head if this could be hardware related, and getting worse.
Plan to image the drive and then format and load just windows and maybe outlook, and see if it keeps doing it.
If it does, then I will just load windows on a different drive to see if it's the drive or what.
If none of that does it, not sure where to go.

Kevin

 

I think that's probably the way to go now.

 

WIped the C: partition, and loaded just windows and Avast, we'll see what happens.

Does Windows 7 (64 bit if it matters) automatically have minidumps turned on?
Is there anyway I can check?

I ask because there was no folder yet for it, and wondered if it just created on on the first crash, or if I had to turn on MDs.?

Kevin

 

I'm really not sure Kevin, it may even depend on the SKU version - Home, Pro., Bells and Whistles - whatever they call the different editions It's one of the very first areas I check/set on install anyway, Windows key+Pause/Break > Advanced Windows settings > Startup and recovery Settings.

Checkout the things DavidGP mentioned, they all seem pertinent to this problem and might modify the way you install programs or the order you install them in, etc.

Also check the C:\Windows\setuperr.log, it will list any errors during the install, just one glitch - bad/dirty DVD? - might be enough to cause weird errors further down the line.

 

Hi,
After imaging the C: partition, I wiped and loaded windows and avast alone, and am giving it a week or so to see if it BSODs again. If not I guess I can clear any hardware cause.

Then I can reload the old image back on and test further the software end.

Regarding your other questions,

I removed the synology software, and have removed the mapped drives, though I removed the drive map just before the fresh install, so not sure yet if it has had any effect. The removing the synology software had no effect.

Backup was running Acronis TIH 2011, doing differential backups, with a new full back up every 7th time.
Basically a 39m with several 3ms, usually 12 minutes for a full.
I had been testeing a few different backup programs, and decided on TIH.
Was running a basic daily backup schedule on the C; partion to test it's operation before setting up a full one that did both C: and D:, weekly.

I am running an Intel I7 860 on a Gigabyte P55AUD4p 1156 board.

None of the things under device manager show ! and the drivers were updated during this process, but I don't know if the chipset driver was done.
Will check that when I reload the old image back on.

I mentioned before that I had done some memory and cpu OCing, but it became unstable. Could that have corrupted something that cause the BSOD and would gradulally get worse.
I was running the mem at 1600, which it's rated for, but again, not stable. Finally found the settings that lead to stable at that speed, but reset it back to stock for now. Perhaps the dmage was done?

Kevin

 

Checked, and the fresh load windows shows that it is set to log a report if it crashes, but is set to kernal rather than small dump.
So I believe it's set to save a kernal dump under the system drive.
Should I change it to the small 256k setting?

I assume you wanted me to check the setuperr log on the old image that we have been dealing with, not the temp windows only one I am using to verify that it's not something other than sodtware related?


Kevin

 

Yes, set it to save a minidump and NOT to overwrite - it might take a little fiddling to do this.

Check both setuperr logs, any discrepancy between the 2 installs might be useful to know - it's vital to get Windows installed correctly to begin with. Take your time, check System and Application logs between each update and install to be sure that all went well.

 

OK, don't know about the original install we are working, that's in storage , but there is nothing listed in the setuperr.log on the current load.

Changed the settings on this load to minidump instead of kernal, and set it to not reboot after (so I will be more likely to notice when it happens).

Didn't see any available option to not overwrite previous minidumps.
There was one for the kernal dump, but it was grayed out under the minidump option.

If this clean install results in no issues (fingers crossed), I can go back and try some of the other things mentioned on the "real" setup.
At least then I can attack it, much more confident that it's actually something I'm looking for, not some bad memory or intermittent drive failure etc.
The fact that it's crashed more lately at least makes it easier, waiting a week or more to wait for a crash, then remove one thing is a pain.

Is there a way to send you a copy of what boots when I'm back on the old system? If I do as DavidGP says and keep things from booting up, I want to make sure I don't stop anything that will keep everything from booting.

One plus on this is that I get to test my backup. While I decided on TIH for the backup, I had no way of knowing if it would really be there if something happened. I could try what I did now, wipe and try to reload from an image, but that's a lot to try just because, and involves a certain amount of risk.

Since I sort of have to, I get to verify this now.

Sure hope it works.rolleyes

Kevin

 

Hey Kevin, I forgot to reply to this one,

To reset the overwrite, you might have to select Kernel or memory dump and apply it then uncheck the box, apply again then reset it to minidump.

I think CCleaner allows you to export or save a basic version of Startup apps, a (vastly) better option would be by using Autoruns. Warning: Autoruns can kill Windows, treated with care, it's a wonderful addition to a tech toolkit. Warning #2: be careful with CCleaner's Registry cleaner, I have a feeling that it may cause problems with some subsequent MSFT installs when it cleans out 'unused' entries. I now uncheck the top 4 entries in that section.

Have you tested the stability under high load of the new install by using something like OCCT yet?

 

Will check on the overwrite switch, though this build isn't long for this world. Still, need to know for the next.

Haven't run anything to "stress" the PC, just left it running 24/7 for the last 4 days. Since it would do it just idling before (maybe outlook open, though sometimes not), I didn't think of that.
Will check it out and see what happens.

By the way, I have used CCleaner registry thing regularly before, any chance that caused any of this?

I plan to run this until this weekend, and if no errors, plan to try and reload the old image back, and then see if I can find out what caused this by keeping things from booting. Of course, that brings us back to the same old issue, I need 7-10 days clean to be reasonably sure it's not doing it, so will have to delete in groups, so as not to be doing this until Christmas.

Speaking of Christmas, I ordered a 120g SSD today, so while I would like to confirm where the issue came from and not load that program/driver again, ultimately this thing is getting a fresh reload. Figure it will take me a week to get the drive in, so I will go maybe a week past that, then the combination of the desire to end this and the excitement to install the SSD, will probably bring this to a close.

Kevin

 

My suspicion about CCleaner and the 'unused' Registry entries is purely based on scanning through logs here and trying to track back to find possible causes to the user's current problems. There have been several failed installs of MS products that point to Registry entries being missing that leads to the failure to install. If I read these correctly, the installers cannot create the needed entries themselves, they can only modify existing keys. On a couple of occasions, the OP had been a user of CCleaner, in others, there was more than a suspicion that other Registry 'fixers' had been used. All purely circumstantial but I've also seen other comments to the effect that 'reinstalling the CCleaner saved reg. entries isn't always a complete reversal'.

In your case Kevin, I really don't see any evidence that this might have played a part in what was BSODing your system.

Great news on the SSD! You are planning to do a full, fresh install of W7 on it, yes? W7 does install and setup slightly differently on an SSD compared to a HDD install/setup

 

Yes, on the full fresh reload with the SSD.
Makes me sort of look forward to doing it. I always like the idea of a new system load to "get the crud out", but was more inclined to do it a couple decades ago, when a "large" hard drive was 10MB.

On the OCCT, what do you suggest I do with it? It seems to be aimed at OCing, and since nothing is over stock now, do you want me to OC it to see if I can generate a BSOD?

Kevin

 

No overclock needed, just run it a while as a stress test.

 

Downloaded OCCT.
Nice looking, but not sure of all the settings.
Any recommendation on what to run, and what to look for?

Kevin

 

Umm, no idea; only used it once and I probably used whatever the defaults were.

 

Do you know what it does if there is an error?

I ran OCCT test in Auto.
Somewhere, I think it said that auto cycles between mem and cpu.

Ran it for an hour, but walked away, an all I got was it saying it finished when I returned.

I assume I would either have a BSOD if it generated my issue, or a notification somehow if there had been any errors, but I don't know for sure.

CPU temps ranged from 30c to 54c for min and max, so no issue there.

Kevin

 

I guess it ran, did whatever the defaults are and finished normally

All you can do now is sit back and dream about that SSD

 

Well, after a week of no issues, I am concluding that it is not hardware.
Granted, it wasn't running as many apps as usual, but it was on 24/7 for a week rather than the usal 8-10hrs a day.

I succesfully reloaded the original system we were working on, and while waiting for the SSD, am continuing to search for the issue.

I have attached a copy of my startup (per ccleaner). Let me know if there is anything I particularly should stop from running, or that I absolutlely shouldn't stop.
Depending on how long this takes to BSOD, I have 1-3 cycles of remove stuff and crash, but would like to not just delete everything becasue some of these have to go back on.

Anyway, wondering about things like tnuances PDF program, the active x update, and ISUSMP.

Finally, should I assume that programs I have that don't load unless executed (i.e. Lightroom etc) aren't causing this, and it has to be something that loads all the time?
Would such an itme be on this list, or could it be loading elsewhere?

Thanks,

Kevin

PS, updated the .inf driver as previously requested.

 

Oh really ?

The BSOD's were so consistent that they had to be caused by something that's loading every time, is my view.

 

I hates when I do that!

 

I only have Avast! from that list, only 1 other startup too I don't even have a lot of the fancy extras that load by default with Explorer etc., that you can't even see with CCleaner.

Most of those programs you'd do better to checkout yourself, only you can really judge whether you need them loading at every startup.

 

So I guess that means I can cancel pretty much everything else without fear of windows not running.

How do I see what explorer loads?

On a somewhat related note, since I will be reloading everything on the new SSD, I will have the chance to actually make a image of the fresh load.

What do you recommend loading prior to making an archived image?

I would like to do W7, outlook and office, but am not sure about other staples like AV and Quicken because they will eventually be replaced with the next version.
Is it best to just have load the first three mentioned, or should I image after getting the load the way I want it, knowing that if I do a "refresh" next year I will have to un-install the AV and Quicken etc. to replace them with the newer version?

Or should I do both?


Almost forgot, what 4 items in CCleaner should I uncheck for the registry clean?
Kevin

 

OK, BSODed only a few hrs after image restored.

Funny thing is the minidump is different, see attached.

Maybe this will help.

Kevin

 

Code:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 44, {fffffa8004407b60, 1d7b, 0, 0}

Unable to load image Rt64win7.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for [B][COLOR="Blue"]Rt64win7.sys[/COLOR][/B]
*** ERROR: Module load completed but symbols could not be loaded for [COLOR="Blue"][B]Rt64win7.sys[/B][/COLOR]
Probably caused by : [B][COLOR="Blue"]mrxsmb.sys[/COLOR][/B] ( mrxsmb!RxCeCompleteConnectRequest+367 )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

MULTIPLE_IRP_COMPLETE_REQUESTS (44)
A driver has requested that an IRP be completed (IoCompleteRequest()), but
the packet has already been completed.  This is a tough bug to find because
the easiest case, a driver actually attempted to complete its own packet
twice, is generally not what happened.  Rather, two separate drivers each
believe that they own the packet, and each attempts to complete it.  The
first actually works, and the second fails.  Tracking down which drivers
in the system actually did this is difficult, generally because the trails
of the first driver have been covered by the second.  However, the driver
stack for the current request can be found by examining the DeviceObject
fields in each of the stack locations.
Arguments:
Arg1: fffffa8004407b60, Address of the IRP
Arg2: 0000000000001d7b
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


IRP_ADDRESS:  fffffa8004407b60

FOLLOWUP_IP: 
mrxsmb!RxCeCompleteConnectRequest+367
fffff880`07b7e7c7 33d2            xor     edx,edx

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x44

PROCESS_NAME:  System

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from fffff800032288bc to fffff80003281640
[B][COLOR="Blue"]
STACK_TEXT[/COLOR][/B]:  
fffff880`0318a168 fffff800`032288bc : 00000000`00000044 fffffa80`04407b60 00000000`00001d7b 00000000`00000000 : nt!KeBugCheckEx
fffff880`0318a170 fffff880`07b7e7c7 : fffffa80`04290b30 fffffa80`04290b30 fffffa80`062c4160 fffffa80`04290b30 : nt! ?? ::FNODOBFM::`string'+0x32c7c
fffff880`0318a1b0 fffff880`07b8049e : 00000000`00000000 00000000`00000702 fffffa80`06eae9d8 00000000`00000006 : mrxsmb!RxCeCompleteConnectRequest+0x367
fffff880`0318a230 fffff880`07b8037c : 00000000`00000000 fffffa80`06eae9d8 00000000`63437852 00000000`00000706 : mrxsmb!SmbWskAsynchronousConnectCompletionWorker+0x106
fffff880`0318a2d0 fffff800`03284a91 : fffffa80`055a4ab3 00000000`00000000 00000000`00000000 fffff880`0318a168 : mrxsmb!SmbWskAsynchronousConnectCompletion+0xb8
fffff880`0318a320 fffff880`02f2c9a5 : 00000000`00000000 00000000`e0000002 fffffa80`055a49e0 00000000`00000000 : nt!IopfCompleteRequest+0x3b1
fffff880`0318a400 fffff880`02f95b2e : 00000000`00000003 fffffa80`043cab10 fffffa80`06a88e00 fffffa80`04349160 : afd!WskProTLConnectComplete+0x105
fffff880`0318a4c0 fffff880`02f95c5b : fffffa80`061cfa30 00000000`00000003 00000000`00000000 fffffa80`000005a7 : afd!WskTdiConnectFinish+0x3e
fffff880`0318a4f0 fffff800`03284a91 : fffffa80`043cac73 00000000`00000003 fffffa80`04ab8670 00000000`00000000 : afd!WskTdiCOMPConnect+0x1b
fffff880`0318a520 fffff880`02eeca7a : 00000000`00000001 fffffa80`03f29802 fffffa80`04afa360 00000000`00000000 : nt!IopfCompleteRequest+0x3b1
fffff880`0318a600 fffff880`016f5a23 : 00000000`000000c0 fffffa80`04741f88 fffffa80`06210270 00000000`00000000 : tdx!TdxConnectConnectionTlRequestComplete+0xfa
fffff880`0318a680 fffff880`016f0c21 : fffffa80`04abd600 fffffa80`06210270 00000000`00000001 00000000`00000000 : tcpip!TcpCreateAndConnectTcbComplete+0x233
fffff880`0318a790 fffff880`016ded54 : 00000000`00000000 fffff880`0318a948 fffff880`0318a948 fffff880`00000042 : tcpip!TcpTcbCarefulDatagram+0x801
fffff880`0318a940 fffff880`016dd5ea : fffffa80`0460e870 fffff880`016d5a00 fffffa80`045ecb01 00000000`00000000 : tcpip!TcpTcbReceive+0x724
fffff880`0318ab30 fffff880`016df2ab : fffff880`0606dce2 fffffa80`0475b000 00000000`00000000 00000000`00000000 : tcpip!TcpMatchReceive+0x1fa
fffff880`0318ac80 fffff880`016d6137 : fffffa80`0460e870 fffffa80`04613820 fffffa80`0000c6c6 00000000`00000000 : tcpip!TcpPreValidatedReceive+0x36b
fffff880`0318ad50 fffff880`016d5caa : 00000000`00000000 fffff880`017ea9a0 fffff880`0318af10 fffffa80`0502c970 : tcpip!IppDeliverListToProtocol+0x97
fffff880`0318ae10 fffff880`016d52a9 : fffff880`017ea9a0 fffffa80`0502ca00 fffff880`0318aea0 fffff880`0318af00 : tcpip!IppProcessDeliverList+0x5a
fffff880`0318aeb0 fffff880`016d2fff : 00000000`00000000 fffffa80`0475b000 fffff880`017ea9a0 00000000`0513fb01 : tcpip!IppReceiveHeaderBatch+0x23a
fffff880`0318af90 fffff880`016d25f2 : fffffa80`0513e120 00000000`00000000 fffffa80`0513fb01 00000000`00000001 : tcpip!IpFlcReceivePackets+0x64f
fffff880`0318b190 fffff880`016d1a8a : fffffa80`0513fba0 fffff880`0318b2c0 fffffa80`0513fba0 fffff880`01450000 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x2b2
fffff880`0318b270 fffff800`0328e078 : fffffa80`0502c2b0 00000000`00004800 fffff880`0316e0c0 00000000`00000000 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0xda
fffff880`0318b2c0 fffff880`016d2152 : fffff880`016d19b0 fffff880`03163180 fffffa80`04747302 00000000`00000000 : nt!KeExpandKernelStackAndCalloutEx+0xd8
fffff880`0318b3a0 fffff880`0151a0eb : fffffa80`05140010 00000000`00000000 fffffa80`04e3e1a0 fffff900`c0bcb000 : tcpip!FlReceiveNetBufferListChain+0xb2
fffff880`0318b410 fffff880`014e3ad6 : fffffa80`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!ndisMIndicateNetBufferListsToOpen+0xdb
fffff880`0318b480 fffff880`0145ccc1 : fffffa80`04e3e1a0 00000000`00000002 00000000`00000001 00000000`00003402 : ndis!ndisMDispatchReceiveNetBufferLists+0x1d6
fffff880`0318b900 fffff880`04a1596b : fffffa80`04e94000 fffffa80`0502dcb0 fffffa80`04e94610 00000000`00000000 : ndis!NdisMIndicateReceiveNetBufferLists+0xc1
[B][COLOR="Blue"]fffff880`0318b950 fffffa80`04e94000 : fffffa80`0502dcb0 fffffa80`04e94610 00000000`00000000 00000002`00000001 : Rt64win7[/COLOR][/B]+0x1596b
fffff880`0318b958 fffffa80`0502dcb0 : fffffa80`04e94610 00000000`00000000 00000002`00000001 00000000`00000004 : 0xfffffa80`04e94000
fffff880`0318b960 fffffa80`04e94610 : 00000000`00000000 00000002`00000001 00000000`00000004 00000000`0486d000 : 0xfffffa80`0502dcb0
fffff880`0318b968 00000000`00000000 : 00000002`00000001 00000000`00000004 00000000`0486d000 00000000`00000001 : 0xfffffa80`04e94610


STACK_COMMAND:  kb

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  mrxsmb!RxCeCompleteConnectRequest+367

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: mrxsmb

IMAGE_NAME:  [COLOR="Blue"][B]mrxsmb.sys[/B][/COLOR]

DEBUG_FLR_IMAGE_TIMESTAMP:  4d649376

FAILURE_BUCKET_ID:  X64_0x44_mrxsmb!RxCeCompleteConnectRequest+367

BUCKET_ID:  X64_0x44_mrxsmb!RxCeCompleteConnectRequest+367

Followup: MachineOwner
---------

The warning and error about Rt64win7.sys I don't think we've seen before, this could mean file corruption. Can you copy the file to your Desktop and upload it to Virustotal please and post the link to the scan result? You'll need to reload the latest RealTek network card drivers too, hopefully, it'll clear up that issue.

Also, this time, Rt64win7.sys is implicated in the STACK_TEXT (scroll to the right to see it listed). So, yes, the dump this time is a little different.



Could you check and limit the 'chatter' over the LAN\WAN by setting your network adapter as per my attachment once it's reinstalled please?

 

Already did a reload of the nic and sound last night after sending the you the post, and after the crash.

Changed the network settings as shown, (unchecked "enablelmhost" and switched from default to disable on the other).

Not sure what you mean about the other. DO I just do a search for the file rt64win, and how do I send it to virustotal?

Sorry, never heard of virustotal

Kevin

 

Virustotal checks for malware using up to 40 different antivirus engines. But if you've already replaced the nic drivers, little point in doing it now

 

Well, lucky for us I guess it didn't make a difference!rolleyes
None for a week on the fresh load and 2 in one 24hr period since retoring the old system.
If I don't forget, I will attache the new dump.
FYI, disabled everything except Avast, Roboform the Realtek sound driver and windows sidebar before this last crash. Tried booting with the "basic" load as far as system stuff, but I had no internet, sound, and outlook and a couple other programs wouldn't run because they couldn't find the correct registration number or something.

What did the changes to the network do, and when I reload everything should I do that to the new system or was it just to test?

Kevin

 

In looking for more things to remove, I still question finding 16 versions of Microsoft visual c+ from 2005 to 2008.

Why so many?

Kevin

 

The most recent versions of C++ would have been bundled with Windows to enable the most recent software to run. The oldest C++ packages would have originally been installed by (often 3rd party) programs for compatibility purposes, it depends on how each program was deleloped and, probably, how many versions of Windows it's designed for, or compatible with. Windows or Microsoft Update will then add security and other updates to the packages it finds installed. I've attached my C++ installs and updates for comparison.

The networking changes I suggested were only to reduce the default chatter over the network in the vain hope that it would have an effect. It's part of the way I setup my machine, it's standalone and has (I hope) fewer routes to defend against threats over the LAN/WAN that way.

Apart from the Rt64win7.sys still not able to be recognised by the MS Symbols server, the dump looks much the same.

I'm coming to the conclusion that this problem may have been triggered by some historic 'tweak', 'fix' or software that was installed on the image but wasn't a 'problem' until something related was updated. I don't think I can do much more with it remotely. If you far enough with your uninstalls, you may find it clears up, you'll need to reboot and test between each change if you want to pinpoint the 'bad guy', it could take a very long time ...

 

Will try a couple more, and if that doesn't do it, before loading the new SSD, will try removing everything except the basic OS etc., and see if it is basically something corrupted at the base level.

Was wondering, can I "un-install" the various windows updates and let windows re-install them?

Same question with the C++ packages?

Ultimately, I'm wondering if it's possible that none of the stuff I'm running created the issue, and the couple of BSODs I got when playing with OCing the CPU and Memory corrupted something?

Kevin

 

C++ packages are only in use when a program you run needs them, I don't think any of it is pre-loaded by Windows.

Sure, you can try to uninstall as much as you like, eventually, you might hit on the patch that might be at fault.

Corruption's always a possibility; if it happens to the Windows protected files, it's usually fixed automatically, SFC might detect more and fix them.

 

I ran SFC, and just re-ran just incase, but it comes back nothing.

Can I in effect "un-install all the updates since the install of W7, then just
do a check for updates, or is that likely to crash the computer?

In C++, if I un-install them, will the programs that need them say they need to install a needed item, or will they just not run?

As far as CCleaner, which 4 items should I not run on the registry cleanup?

I on occasion have run it and Norton registry cleaner, and wonder if either has any hand in the issues I'm having?

Kevin

 

You can uninstall anything you like If a program needs a supporting library (eg. C++) to run and it can't find it, you'll get an error. Sometimes you can find the recent libraries online at MSFT, other's, especiually older ones, you won't - they'll need to be re-downloaded from the supplier of the software.

I uncheck the top 4 items in CCleaners Registry cleaner.

Yes, running blindly any registry 'cleaner' may have knock-on effects further down the line, often after installing (or during an attempted install of) later MSFT products.

 

I noticed on the linked page to "Autoruns", there was a listing for Registry Booster 2011.
Since it was listed here at MGs, I was wondering if it's any good.

Ran their free test, and came up with a bunch of errors(208), but don't know if that's accurate or not.

Kevin

 

It's a crapware advertisement - don't go there.

 

OK, not to jinx anything, but I'm on day 5 with no BSODs.:-D
Now to figure out what I did!rolleyes

I did want to see if you could look at the 2 attached dumps again. I believe you looked at them seperately before, and although the listed problem driver is different, I think you concluded that it was the same thing.

Here's the chain of events so far.
4/24 1:30AM BSOD, still interupt issue, but different noted driver.
4/24 2:00AM, went into config and disabled all but three start items.
4/24 11:00PM BSOD again, same issue, but back to mrxsmb as listed driver.

Over the next day, un-installed several things (have to go back and determine exactly what), and ran the free Registry Booster before finding out from you it was"crapware". It listed 208 issues, and fixed 15 free, the rest I would have to buy the software.
I mention this only because it's something I did after the last BSOD, but have no knowledge of it being any help.

Anyway, some of the things like Carbonite, Tivo Desktop, Acronis stuff etc., I thought could be a possible cause of my problems due to them being network involved, are now not run at start up.
However, since it BSODed less than 24hrs after turning them off, am I correct to assume they probably aren't the issue!?

The reason for the BSODs attached is I wanted to make sure that it's the same BSOD that happened before and after turn off all the startup items, before I turn them back on. (OK, since they were already attached, can't put them on this reply, but they are the 2 from 4/24, 10857 and 11060.)

Also, the majority of the things deleted where about 10 programs that came with my Canon P&S at Christmas. In theory, they are programs that I "run", and not network attached.
That said, they do have different programs to load video and photos to the net, and want to detect and run themselves when a memory card is inserted.

Since I also have Nikon's software that came with my DSLR, and Lightroom 3, I'm wondering if there could be a conflict in them interacting in the way they wait for a memory card, or connect to the net. I don't know, maybe they have an issue with W7 64bit.

SSDs, here:yum, but since I seem to be close to nailing this down, or at least excluding some key programs that i want to reload, I plan on re-starting the autorun stuff and see if I continue to be BSOD free. This close, I can do another week to finally resolve it..I hope!

The unknowns here though are the 15 registry items supposedly fixed by the Registry Booster, and that MS downloaded several updates after the second BSOD that said they had something to do with stability issues.
For all I know, MS fixed something and left me thinking something I un-installed did it.

Anyway, what say you?

Kevin

 

Mhm, where to begin ...

WhoCrashed free version:

Compare this with the attachment which shows the BSV and the stack text from both dumps. WhoCrashed - ntoskrnl, BSV - mrxsmb and NDProxy, WinDbg - MRXSMB.

Are you still hooked up to the NAS or not?

 

Yes, still hooked to the NAS, though it is not mapped in windows.
Still, after I removed the maping from windows, I got 3 more BSODs.

So BSV and Who Crashed have different views on what caused the BSOD?

Back to the other question, WC says it's the same cause, BSV says 2 different causes, but I still assume that since it crashed even after leaning out my startups, none of them are likey the cause.
Even though BSV shows two different drivers, the later one is the same as we've been getting from it all along.

By the way, what is a ntoskrnl? Till now I've been focused on mrxsmb.

At this point I'm not sure the easiest route. I could try and reload various things, and see what happens, or maybe just reinstall the image that was crashing and download the windows updates and see if it still happens, then unload the Canon stuff etc..

I'm torn because I don't mind so much doing the work, it's the 5-7 days wait to see if somethings wrong.

By the way, also disabled a couple things in IE9. When loading it has the popup on the bottom that says you can speed up IE startup by running less things. There were 4-5 things there, now there is just roboform and avast I think.
Since I don't think IE has ever been open when it crashed, are these unlikley to be related?

Kevin

 

This translates to about 1.5 grams of pixie dust that's sprinkled into your PC during the first few seconds of Windows booting up; everything within Windows depends upon it and it depends on solid hardware and well-written and implemented drivers.

All 3 programs used have slightly different interpretations of what caused the error, yes - none of them got it right because the error is triggered by a higher level problem - further away from the Windows core. To get a fuller picture of what went wrong, you'd need to set the PC to run a full memory dump where the dump file would be the same size as the amount of installed RAM. Unless you have a PC sat next to you that can transfer the dump over to and debug from that, it's really an impractical suggestion outside the corporate workplace.

IE probably has nothing to do with the BSOD's.

Windows Updates could well have triggered a change of behaviour here, only time will tell - it's just one of many variables.

You might consider using Driver Verifier, it will monitor and stress/test the kernel-mode and graphics drivers, if it detects a potential or real problem it will BSOD. Sometimes it'll tell you the driver that caused the problem, sometimes it won't. Read the info carefully

 

Just wanted to update you on the current status.
After confirming that it wasn't hardware by wiping the disc and installing a fresh windows environment and using it for a week, I re-installed an image of the problem system and had it crash twice within a day. As noted previously, once with, and once without the various items active in startup.
After that, some combination of the windows updates that came down between the 17th and 24th, and un-installing a bunch of programs left me with an (as far as I can tell) conmpletely stable system.
Not knowing if it was the MS updates or something I removed, I reloaded the drive image again, and had it crash over night (see attached dump).
This brings up two things.
1) This was after the MS updates, but with nothing else removed, but so far it hasn't crashed again, so waiting for another to confirm, before I start un-installing anything.

2)It crashed overnight, when it had already put the monitor to sleep due to the power mode settings. This goes back to a while back when I couldn't get it to wake from this mode and you had me disable the USB power down just incase. Evidently it wasn't an issue with that as much as the fact that I didn't see the BSOD that occurred because the power mode had already shut down the monitor. Luckily, this time I looked for a dump. Last time it was to early into the issue and I wasn't checking for those.

Oh well, since it crashed within 24hrs of reloading the image, I have to assume that the MS update didn't fix it, and it's not stable, but since it hasn't crashed again since, waiting to see.
Do you think I should turn the monitor sleep option back on to see if it triggers anything?
Don't really think that's it, because when I finally got it stable, it was with the usb power down not disable, and sleep after 30min on the monitor, yet no issues.
FYI, assuming this thing crashes again, the programs removed that lead to a stable system were:
1) 17 Canon programs that came with the Canon point and shoot camera. These ran from photo related to video, to uploading stuff for various sites.
2)Windows Essentials, mostly Messenger, calendar and photo
3)Data Color's Spyder Pro monitor calibration software.
4)Nuances PDF reader and creater software.
Also, MS debugging software, but I had loaded that after the issues started to read the BSODs before finding an easier way, so I'm sure it's not related.

Will let you know what happens.
Meanwhile, the SSD watches me, waiting for it's turn. Just want to nail this down, as I don't want to reload the problem, but much of this stuff I use, and if it's not the issue, need to re-install it.

Kevin

 

OK, I am slightly perplexed.:confused
All I've done after reloading the image that was constantly unstable is the updates from MS from a few weeks back. It crashed within 24hrs of the updates (see dump from previous post), but has been stable for 7 days now.rolleyes
I even reset the power settings to allow the monitor to sleep etc. just incase there was an issue with the video driver or something that caused it to BSOD when the video was powered down. That's only been a day, but I really don't think thatit was that, more like it just happened to BSOD at a time the monitor was powered down.
Since some of the MS updates stated that they were to help with system stability, I would chalk it up to them fixing whatever my issue was, but I don't know why it still felt the urge to BSOD after the update if that fixed it.:confused
IF this doesn't crash again in the next few days, I have to assume that it is fixed, but not evidently from anything we've done, unless somehow backing up the C: drive, then wiping the partition and restoring the image could have done anything to correct something wrong.
Is that even possible?
Other than that, the gods of Windows just smiled and somehow corrected the issue, but felt compeled to BSOD once to keep me on my toes and respect their awesomeness.

Kevin