Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Windows Vista 64 tcpip.sys BSOD

Started by afrond , Aug 28 2011 10:14 AM

Please log in to reply

#1
afrond

Posted 28 August 2011 - 10:14 AM

Member

Member
14 posts

Hi,

I started getting BSOD's every now and then some time after a fresh install of Windows. Minidumps since the first crash attached, I hope you can help!

Thanks!

Attached Files

Minidump.zip 98.54KB 160 downloads

#2
afrond

Posted 05 September 2011 - 10:54 AM

Member

Topic Starter
Member
14 posts

Update...I found logs like this in the Event Viewer, they appear at the time of the crashes:

=============================
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4.9.2011 23:34:53
Event ID: 5038
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Tietokone-PC
Description:
Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5038</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2011-09-04T20:34:53.446Z" />
<EventRecordID>4292</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="48" />
<Channel>Security</Channel>
<Computer>Tietokone-PC</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">\Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys</Data>
</EventData>
</Event>
=============================

Also, I've gotten these kinds of logs lately (they seem to appear randomly):
=============================
Log Name: System
Source: disk
Date: 5.9.2011 14:56:29
Event ID: 7
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Tietokone-PC
Description:
The device, \Device\Harddisk1\DR1, has a bad block.
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="disk" />
<EventID Qualifiers="49156">7</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-09-05T11:56:29.672Z" />
<EventRecordID>83635</EventRecordID>
<Channel>System</Channel>
<Computer>Tietokone-PC</Computer>
<Security />
</System>
<EventData>
<Data>\Device\Harddisk1\DR1</Data>
<Binary>030080000100000000000000070004C0000100009C0000C000000000000000000040746401000000402D360000000000FFFFFFFF01000000580000840201000000200A1240032040000000003C0000000000000000000000886A360A80FAFFFF0000000000000000E063CC0780FAFFFF60DCF40680FAFFFF203AB20000000000280000B23A2000004000000000000000F00003000000000B00000000000000000000000000000000</Binary>
</EventData>
</Event>
=============================

So the problem is with one of my hard drives? Any idea how to fix this/remove the bad block from use etc.?

One more thing, what does this error mean?
=============================
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 5.9.2011 19:35:56
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Tietokone-PC
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="Microsoft-Windows-WMI" Guid="{1edeee53-0afe-4609-b846-d8c0b2075b1f}" EventSourceName="WinMgmt" />
<EventID Qualifiers="49152">10</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-09-05T16:35:56.000Z" />
<EventRecordID>2945</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Tietokone-PC</Computer>
<Security />
</System>
<EventData>
<Data>//./root/CIMV2</Data>
<Data>SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99</Data>
<Data>0x80041003</Data>
</EventData>
</Event>
=============================

I attached a couple of recent minidumps aswell. Any help much appreciated!

Attached Files

Minidump2.zip 78.69KB 151 downloads

#3
rshaffer61

Posted 05 September 2011 - 10:58 AM

Moderator

Moderator
34,114 posts

Run hard drive diagnostics: http://www.tacktech....ay.cfm?ttid=287
Make sure, you select tool, which is appropriate for the brand of your hard drive.
Depending on the program, it'll create bootable floppy, or bootable CD.
If downloaded file is of .iso type, use ImgBurn: http://www.imgburn.com/ to burn .iso file to a CD (select "Write image file to disc" option), and make the CD bootable.

NOTE. If your hard drive is made by Toshiba, try the Hitachi DFT CD Image version of the software

Thanks to Broni for the instructions

If you have more than one RAM module installed, try starting computer with one RAM stick at a time.

NOTE Keep in mind, the manual check listed above is always superior to the software check, listed below. DO NOT proceed with memtest, if you can go with option A

B. If you have only one RAM stick installed...
...run memtest...

1. Download - Pre-Compiled Bootable ISO (.zip). If you prefer to use the USB version then use this link USB KEY
2. Unzip downloaded /memtest86+-4.20.iso.zip file.
3. Inside, you'll find /memtest86+-4.20.iso file.
4. Download, and install ImgBurn: http://www.imgburn.com/
5. Insert blank CD into your CD drive.
6. Open ImgBurn, and click on Write image file to disc
7. Click on Browse for a file... icon:

Posted Image

8. Locate [b/memtest86+-4.20.iso[/b] file, and click Open button.
9. Click on ImgBurn green arrow to start burning bootable memtest86 CD:

Posted Image

10. Once the CD is created, boot from it, and memtest will automatically start to run. You may have to change the boot sequence in your BIOS to make it work right.

To change Boot Sequence in your BIOS

Reboot the system and at the first post screen (where it is counting up memory) start tapping the DEL button
This will enter you into the Bios\Cmos area.
Find the Advanced area and click Enter
Look for Boot Sequence or Boot Options and highlight that click Enter
Now highlight the first drive and follow the directions on the bottom of the screen on how to modify it and change it to CDrom.
Change the second drive to the C or Main Drive
Once that is done then click F10 to Save and Exit
You will prompted to enter Y to verify Save and Exit. Click Y and the system will now reboot with the new settings.

The running program will look something like this depending on the size and number of ram modules installed:

Posted Image

It's recommended to run 5-6 passes. Each pass contains very same 8 tests.

This will show the progress of the test. It can take a while. Be patient, or leave it running overnight.

Posted Image

The following image is the test results area:

Posted Image

The most important item here is the “errors” line. If you see ANY errors, even one, most likely, you have bad RAM.

#4
afrond

Posted 05 September 2011 - 03:16 PM

Member

Topic Starter
Member
14 posts

I ran SeaTools found on the site you posted, and found 2 errors on one of my drives. The tool was able to fix them so I hope this solves my problem, time will tell.

Thank you very much for your help!

#5
rshaffer61

Posted 05 September 2011 - 03:24 PM

Moderator

Moderator
34,114 posts

Was the drive the main drive as that is the one the errors are occurring on.

#6
afrond

Posted 05 September 2011 - 05:02 PM

Member

Topic Starter
Member
14 posts

Yes, it was. There were no errors on my other drive.

#7
rshaffer61

Posted 05 September 2011 - 05:07 PM

Moderator

Moderator
34,114 posts

Have you had any errors since running the hard drive diagnostics?

#8
afrond

Posted 05 September 2011 - 05:26 PM

Member

Topic Starter
Member
14 posts

There has been a couple, but not the same ones I posted before:

======================
Log Name: System
Source: Microsoft-Windows-HttpEvent
Date: 5.9.2011 23:53:49
Event ID: 15016
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Tietokone-PC
Description:
Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="Microsoft-Windows-HttpEvent" Guid="{7b6bc78c-898b-4170-bbf8-1a469ea43fc5}" EventSourceName="HTTP" />
<EventID Qualifiers="49152">15016</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-09-05T20:53:49.902Z" />
<EventRecordID>85079</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="64" />
<Channel>System</Channel>
<Computer>Tietokone-PC</Computer>
<Security />
</System>
<EventData>
<Data Name="DeviceObject">\Device\Http\ReqQueue</Data>
<Data Name="SecurityPackage">Kerberos</Data>
<Binary>000004000200300000000000A83A00C00000000000000000000000000000000000000000000000000E030980</Binary>
</EventData>
</Event>
======================

======================
Log Name: System
Source: Microsoft-Windows-Dhcp-Client
Date: 6.9.2011 1:54:16
Event ID: 1003
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: Tietokone-PC
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0023549E5C89. The following error occurred:
The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="Microsoft-Windows-Dhcp-Client" Guid="{15A7A4F8-0072-4EAB-ABAD-F98A4D666AED}" EventSourceName="Dhcp" />
<EventID Qualifiers="0">1003</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-09-05T22:54:16.000Z" />
<EventRecordID>85242</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>Tietokone-PC</Computer>
<Security />
</System>
<EventData>
<Data>0023549E5C89</Data>
<Data>%%121</Data>
</EventData>
</Event>
======================

This one occurred before I ran the diagnostics, but I'll add it since I hadn't noticed it before:
======================
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 5.9.2011 21:57:36
Event ID: 10010
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Tietokone-PC
Description:
The server {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} did not register with DCOM within the required timeout.
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="49152">10010</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-09-05T18:57:36.000Z" />
<EventRecordID>85044</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>Tietokone-PC</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}</Data>
</EventData>
</Event>
======================

#9
rshaffer61

Posted 05 September 2011 - 05:28 PM

Moderator

Moderator
34,114 posts

What browser do you use and what version is it?

#10
afrond

Posted 05 September 2011 - 05:32 PM

Member

Topic Starter
Member
14 posts

Firefox, latest version (6.0.1)

#11
afrond

Posted 05 September 2011 - 05:38 PM

Member

Topic Starter
Member
14 posts

Oh, and I've also had the WMI error again since I ran the diagnostics...forgot that one.

#12
rshaffer61

Posted 05 September 2011 - 07:33 PM

Moderator

Moderator
34,114 posts

OK lets clean up some internet stuff and see what happens then.

Download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Background info courtesy of DonnaB Thank you

As for TFC, this is a tidbit of an article I found a while back by a MicroSoft MVP.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB).

Before running, it will stop Explorer and all other running applications. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.
-- TFC only cleans temp folders.
-- TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail.

#13
afrond

Posted 06 September 2011 - 07:13 PM

Member

Topic Starter
Member
14 posts

I ran TFC some 12 hours ago and the only warnings that have occurred since then are these:

=================
Log Name: System
Source: Microsoft-Windows-Dhcp-Client
Date: 7.9.2011 4:03:34
Event ID: 1003
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: Tietokone-PC
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0023549E5C89. The following error occurred:
The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="Microsoft-Windows-Dhcp-Client" Guid="{15A7A4F8-0072-4EAB-ABAD-F98A4D666AED}" EventSourceName="Dhcp" />
<EventID Qualifiers="0">1003</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-09-07T01:03:34.000Z" />
<EventRecordID>86002</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>Tietokone-PC</Computer>
<Security />
</System>
<EventData>
<Data>0023549E5C89</Data>
<Data>%%121</Data>
</EventData>
</Event>
=================

=================
Log Name: System
Source: Tcpip
Date: 7.9.2011 1:23:51
Event ID: 4226
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: Tietokone-PC
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Event Xml:
<Event xmlns="http://schemas.micro.../events/event">
<System>
<Provider Name="Tcpip" />
<EventID Qualifiers="32768">4226</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-09-06T22:23:51.766Z" />
<EventRecordID>85883</EventRecordID>
<Channel>System</Channel>
<Computer>Tietokone-PC</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Binary>00000000010000000000000082100080000000000000000000000000000000000000000000000000</Binary>
</EventData>
</Event>
=================

Anything to worry about? I was thinking the latter one could just be just because I've been downloading some torrents lately...

#14
rshaffer61

Posted 06 September 2011 - 07:29 PM

Moderator

Moderator
34,114 posts

Anything to worry about? I was thinking the latter one could just be just because I've been downloading some torrents lately...

Possibly but also could be the affect of a hidden infection caused by one of those torrents.
You would be surprised what new ones could be out there that are hidden in those files.
Just a question would this have started after downloading a torrent file?

#15
afrond

Posted 07 September 2011 - 10:22 AM

Member

Topic Starter
Member
14 posts

I sorted the event viewer by source and it seems the first warnings of that sort (Event 4226, Tcpip) occurred over a month ago, on Aug 1st. I did a fresh install of Windows just a few days before that, and I don't remember using any torrents at that time. I only formatted my C: partition during the install though so if it's an infection, it could have been lying there on some other partition from before.