Win 10 BSODs, but only for one user
-
We have a laptop with individual accounts for each member of the family. It works OK for most of us, but for my youngest daughter it bluescreens shortly after logging in, every time. The BSOD says SYSTEM_SERVICE_EXCEPTION caused by wcifs.sys. This hasn't always been happening, but it's been a couple of months.
I haven't been able to find much good information relating to this, and what I have found doesn't seem to point to anything that should be user-specific. I tried looking at Event Viewer but couldn't find anything useful - but then, I don't use Event Viewer often so I may not be looking in the right place.
Any suggestions as to what I should be looking for or how I might be able to narrow down this problem?
One of the suggestions I saw was that the AV filesystem driver could be causing an incompatibility with wcifs.sys, but I don't know why that would only manifest for one user - unless it's reading something in her settings or whatever upon login that's making it crash? Does that seem plausible? She doesn't have to do anything after login, it just crashes after maybe a minute.
-
Is it a limited account?
Probably the easiest thing to do is create a new account and just copy over the docs...
-
@tsaukpaetra Yep, I only give the kids limited accounts on any machine.
That is my default plan, as long as it's not some screwed up file in her account that's causing the problem. One difficulty is that she's worried about losing her stuff, but couldn't explain to me where she's putting it.
(She's 11, so it shouldn't be that hard.) I guess I can just grab whatever looks likely and if she has to configure some things again, so be it.
-
@scarlet_manuka said in Win 10 BSODs, but only for one user:
@tsaukpaetra Yep, I only give the kids limited accounts on any machine.
That is my default plan, as long as it's not some screwed up file in her account that's causing the problem. One difficulty is that she's worried about losing her stuff, but couldn't explain to me where she's putting it.
(She's 11, so it shouldn't be that hard.) I guess I can just grab whatever looks likely and if she has to configure some things again, so be it.Could you just keep the old version of the account and have her use the new one until you can figure out how it broke?
-
@ben_lubar Yeah, though the impetus for caring about how the old one broke is likely to be low if the new one is fine. (So maybe I should just migrate first and then decide whether I can even be bothered trying to troubleshoot, I guess.)
I feel we're losing a little focus, though. The question at hand isn't about rescuing her account, it's about how to go digging for the cause.
-
@scarlet_manuka said in Win 10 BSODs, but only for one user:
how to go digging for the cause.
If you feel up to the Internet knowing what Windows updates you don't have yet, you could clear the event logs for the system and application logs and reproduce the problem (uploading the result), but that may or may not be helpful. In theory the minidump would be good too.
-
@scarlet_manuka said in Win 10 BSODs, but only for one user:
Any suggestions as to what I should be looking for or how I might be able to narrow down this problem?
Should be pretty easy. Thankfully you're bluescreening so that means you can get a full memory dump to analyse.
Type "advanced system settings" in the search bar and then click on 'View Advanced System Settings'
Click 'Settings' under 'Startup and Recovery' and check the following options are set:
- Write an event to the system log
- Write debugging information -> Kernel memory dump
- Dump file: %SystemRoot%\MEMORY.DMP
- Overwrite any existing file
We need
windbgto analyse the dumps so go ahead and install the WDK: https://docs.microsoft.com/en-us/windows-hardware/drivers/download-the-wdkNow cause a bluescreen, wait for the memory to be dumped, and the fun can start!
Open
windbg. In the 'File' menu goto 'Symbol File Path' and put the following in the box:cache*;srv*https://msdl.microsoft.com/download/symbolsIn the 'File' menu click 'Open a Crash Dump' and navigate to your
%systemroot%(probably c:\windows) and open thememory.dmpfile.Now wait for
windbgto churn away to itself for a while.In the little
kd>prompt at the bottom type!analyze –vEdit:
SYSTEM_SERVICE_EXCEPTIONis not a blocked IRP issue so what you want to do is:in the
kd>prompt type.cxr [hex address shown in argument 3 that !analyse -v spat out]Next type
kbto view the stack. The guilty party should be in there.Edit2: Param list for `SYSTEM_SERVICE_EXCEPTION' was found here: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x3b--system-service-exception
-
@cursorkeys Do I need to blame EA? I think I need to blame EA just on general principles. Though I suspect there wouldn't be a function called FsRtlQueryKernelEaFile for that EA.
# RetAddr : Call Site 00 fffff805`528e2304 : wcifs!WcShouldRedirectEaAndUsn+0x2f 01 fffff805`4da07852 : wcifs!WcPreQueryEa+0x54 02 fffff805`4da073f8 : FLTMGR!FltpPerformPreCallbacks+0x2e2 03 fffff805`4da06ffb : FLTMGR!FltpPassThroughInternal+0x88 04 fffff805`4da06d9e : FLTMGR!FltpPassThrough+0x1ab 05 fffff801`af8c0669 : FLTMGR!FltpDispatch+0x9e 06 fffff801`afdedc7d : nt!IofCallDriver+0x59 07 fffff805`4dbcaffb : nt!FsRtlQueryKernelEaFile+0x11d 08 fffff805`4dbcb0c7 : CI!CipGetFileCache+0x287 09 fffff801`afdf71da : CI!CiGetFileCache+0x37 0a fffff805`529af39f : nt!SeGetCachedSigningLevel+0x4a 0b fffff805`4da06a8a : aswMonFlt+0x1f39f 0c fffff805`4da06246 : FLTMGR!FltpPerformPostCallbacks+0x47a 0d fffff805`4da08809 : FLTMGR!FltpPassThroughCompletionWorker+0x76 0e fffff805`4da3b57f : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x239 0f fffff801`af8c0669 : FLTMGR!FltpCreate+0x2cf 10 fffff801`afd605e2 : nt!IofCallDriver+0x59 11 fffff801`afd80237 : nt!IopParseDevice+0x822 12 fffff801`afd77910 : nt!ObpLookupObjectName+0x5b7 13 fffff801`afd1ec83 : nt!ObOpenObjectByNameEx+0x1e0 14 fffff801`afa13513 : nt!NtQueryAttributesFile+0x193 15 00007ff9`28c60a64 : nt!KiSystemServiceCopyEnd+0x13 16 00000000`00000000 : 0x00007ff9`28c60a64
-
@scarlet_manuka said in Win 10 BSODs, but only for one user:
@tsaukpaetra Yep, I only give the kids limited accounts on any machine.
That is my default plan, as long as it's not some screwed up file in her account that's causing the problem. One difficulty is that she's worried about losing her stuff, but couldn't explain to me where she's putting it.
(She's 11, so it shouldn't be that hard.) I guess I can just grab whatever looks likely and if she has to configure some things again, so be it.Just make a full backup, zip it and make her search for whatever she needs, when she needs it.
-
The debugger says cloudapp.exe is the faulting module. From their website it doesn't seem like anything she would need, so I've taken a zip of the package folder in her local data and deleted it (couldn't find a proper uninstaller). We'll see if that helps.
-
@scarlet_manuka said in Win 10 BSODs, but only for one user:
couldn't find a proper uninstaller
CloudApp.exe /uninstall
Edit: source http://www.shouldiremoveit.com/CloudApp-for-Windows-123317-program.aspx
-
@scarlet_manuka said in Win 10 BSODs, but only for one user:
The debugger says cloudapp.exe is the faulting module. From their website it doesn't seem like anything she would need, so I've taken a zip of the package folder in her local data and deleted it (couldn't find a proper uninstaller). We'll see if that helps.
How in the fuckville is a userland app causing a BSoD in this day and age?
-
@weng said in Win 10 BSODs, but only for one user:
@scarlet_manuka said in Win 10 BSODs, but only for one user:
The debugger says cloudapp.exe is the faulting module. From their website it doesn't seem like anything she would need, so I've taken a zip of the package folder in her local data and deleted it (couldn't find a proper uninstaller). We'll see if that helps.
How in the fuckville is a userland app causing a BSoD in this day and age?
User isolation bug I think, based on what crashed.
-
@weng said in Win 10 BSODs, but only for one user:
How in the fuckville is a userland app causing a BSoD in this day and age?
Windows 10
-
@scarlet_manuka said in Win 10 BSODs, but only for one user:
@cursorkeys Do I need to blame EA? I think I need to blame EA just on general principles.
They need to answer for Origin anyway...
# RetAddr : Call Site 00 fffff805`528e2304 : wcifs!WcShouldRedirectEaAndUsn+0x2f ... 0b fffff805`4da06a8a : aswMonFlt+0x1f39f ... 16 00000000`00000000 : 0x00007ff9`28c60a64That's interesting and a lot less useful than I expected at the same time. You can see Avast (aswMonFlt) having a peek in the middle though.
I guess 0x00007ff9'28c60a64 is cloudapp.exe, as identified by the autoanalysis. If you changed to a complete memory dump it should then show the module name there rather than just the virtual address.
I think you would have been able to do!process 7ff928c60a64 7as well even with just a kernel dump (or analyse got it from the exception record, I'm not sure).Hope uninstalling it fixes the problem!
-
@cursorkeys Got her to log in this morning... it complains about not being able to find cloudapp, and then doesn't BSOD. I'll try to uninstall it properly tonight, and have the conversation about "why did you even want this in the first place?" So thanks for your help with this.
Now I just have to work out why her Start menu doesn't work. (Responds properly to right-click, but left-click or pressing the Windows button do nothing.) I'd be willing to bet the answer is once again "random crap she's installed into her profile", but hey, that's why the kids have limited accounts; she can screw up her own profile all she likes, but she can't ruin it for everyone else.
@weng said in Win 10 BSODs, but only for one user:
How in the fuckville is a userland app causing a BSoD in this day and age?
The actual crash looked to be an uncaught NPE (accessing [rax+10] when rax = 0). There's presumably some error in wcifs.sys where it's either not checking the parameters that have come from userspace properly, or doesn't check the result of some operation. It's just that cloudapp is triggering the bug, no doubt by doing something stupid and wrong (for example, passing a null pointer when it shouldn't). But it's a lot easier for me to get rid of cloudapp than to either fix or remove wcifs.sys...
-
@scarlet_manuka said in Win 10 BSODs, but only for one user:
Now I just have to work out why her Start menu doesn't work. (Responds properly to right-click, but left-click or pressing the Windows button do nothing.)
78 percent chance the profile's fucked, and the only real thing you can do is recreate the profile anew....
-
@scarlet_manuka said in Win 10 BSODs, but only for one user:
There's presumably some error in wcifs.sys
Given the choice I'd blame Avast before blaming Windows components.
-
@tsaukpaetra said in Win 10 BSODs, but only for one user:
User isolation bug I think, based on what crashed.
What is a "user isolation bug?"
-
@boomzilla said in Win 10 BSODs, but only for one user:
@tsaukpaetra said in Win 10 BSODs, but only for one user:
User isolation bug I think, based on what crashed.
What is a "user isolation bug?"
When your user accidentally a word and they get sent to solitary confinement for their radicalism.
-
Wow, you guys really impressed me being able to read windows crash dumps. I thought those were generally useless.
I have a sort of related problem - SQL Server management studio crashes on one of the servers a few times a day. Usually when I'm not using it (when I reconnect RDP I see that it has crashed).
Any way to troubleshoot that to figure out WTF it's crashing? It's really annoying. I have considered to just recreate the profile, but would love to know how to actually troubleshoot the problem.
-
@dangeruss said in Win 10 BSODs, but only for one user:
Wow, you guys really impressed me being able to read windows crash dumps. I thought those were generally useless.
Yeah, I'm surprised how quickly they found the issue. I've had to poke through crash dumps before and it was a huge pain, even though I knew the crash was coming from somewhere in my own kernel-mode driver that I had source for...
-
@dangeruss said in Win 10 BSODs, but only for one user:
Wow, you guys really impressed me being able to read windows crash dumps. I thought those were generally useless.
Now, if y'all can replicate this feat with this core dump, which was produced by this binary running on a FreeBSD jail with Linux emulation (the CentOS 6 package I guess), I'd be impressed.
Best I can figure (since they're not providing symbols) is that something failed to call something completely and it failed to return with good data....
