Wednesday, May 21, 2014

0x7A Rootkit Debugging

Hello everyone, hope you're all well!

Late last night I received a crash dump, specifically an 0x7A dump. In most cases, 0x7A's are either some sort of HDD problem (connections to the drive/controller), faulty HDD (bad sectors, etc), antivirus causing file system conflicts, etc. You can generally find out if it's likely a drive/connections problem right away as opposed to a software problem by knowing what the 2nd parameter status codes imply. This one however is fairly interesting considering it's being caused by a rootkit (so it appears), and I love interesting kernel-dumps, so let's take a look!

-- You can read my first rootkit debugging post here. It was an 0x3B bug check as opposed to 0x7A.

---------------------------

KERNEL_DATA_INPAGE_ERROR (7a)

This bug check indicates that the requested page of kernel data from the paging file could not be read into memory.

BugCheck 7A, {4, 0, fffffa8009bc11f0, fffff8a009446220}

The 1st parameter of our bug check is 4, which indicates that the 2nd parameter is an error status code (typically I/O status code). With this said, the 3rd parameter in our case AFAIK is the PTE contents, and the 4th parameter is the faulting address.

The 2nd parameter in our case is 0, which is the following NTSTATUS value - STATUS_SUCCESS (0x00000000). Quite simply, it implies that the operation completed successfully.

---------------------------

Let's have a basic look at the call stack:

1: kd> k
Child-SP          RetAddr           Call Site
fffff880`177104d8 fffff801`52f2906c nt!KeBugCheckEx
fffff880`177104e0 fffff801`52eeabb7 nt! ?? ::FNODOBFM::`string'+0x24cc6
fffff880`177105c0 fffff801`52ea8def nt!MiIssueHardFault+0x1b7
fffff880`17710690 fffff801`52e6beee nt!MmAccessFault+0x81f
fffff880`177107d0 fffff801`532ba031 nt!KiPageFault+0x16e
fffff880`17710960 fffff801`532ba8a8 nt!CmEnumerateKey+0x191
fffff880`17710a10 fffff801`52e6d453 nt!NtEnumerateKey+0x308
fffff880`17710b90 000007ff`2b3e2f0a nt!KiSystemServiceCopyEnd+0x13
00000042`a4baf118 00000000`00000000 0x000007ff`2b3e2f0a
Very interesting call stack we have here! The first big red flag/question we are asking ourselves here is 'Why is a low-level NT function calling into a pagefault?' The answer is... we likely have a rootkit!

First off, the CmEnumerateKey routine returns information about a subkey of an open registry key, and if we remember, the 2nd parameter of the bug check was 0 (STATUS_SUCCESS). This indicates that it was successful in its attempt to return information regarding the subkey. Many newer generation rootkits use a technique labeled DKOM (Direct kernel object manipulation) to hide themselves in legitimate Windows processes. In our case here, it appears to have hooked itself into NtEnumerateKey.

Expanding off of DKOM, one of the most common ways of going undetected is hooking registry API functions such as - RegOpenKey, RegEnumKey, RegEnumValue. To further increase effectiveness of the rootkit regarding its ability to go undetected, it will specifically hook the low-level NT versions of these functions, such as - NtOpenKey, NtEnumerateKey and NtEnumerateValueKey.

---------------------------

With all of that said, if the rootkit is so sophisticated at hiding itself, why is this showing in a call stack of a crash dump? Also, why is the system even crashing in the first place? One of the ways to effectively discover a rootkit hooked to such entries listed above is to directly invoke said functions. In this case, the user was attempting to run scans with various software that would detect the rootkit (such as TDSSKiller, etc). Every time the user ran a scan with such software, the system would call an 0x7A bug check. I may be wrong, but this may be a 'defense' mechanism of the rootkit, or the scan is actually conflicting with the rootkit/what it's trying to accomplish regarding hooking, therefore it forces a bug check or kernel corruption will occur.

What's the problem? Well, we can surely almost confirm a rootkit, however, at the same time, we also actually cannot be too sure. Why? Well, this is pretty clear that hooks are occurring and we've caught them, however, what's interesting to know is that intrusion prevention-based software also hooks like this. The user is crashing every single time he/she runs a scan, so that could also be a possibility of buggy software.

---------------------------

1: kd> dl nt!PsActiveProcessHead  10 2
fffff801`530acc80  fffffa80`03088328 fffffa80`0a0b1828
fffffa80`03088328  fffffa80`067aec28 fffff801`530acc80
fffffa80`067aec28  fffffa80`07314ae8 fffffa80`03088328
fffffa80`07314ae8  fffffa80`07d45c28 fffffa80`067aec28
fffffa80`07d45c28  fffffa80`07d13368 fffffa80`07314ae8
fffffa80`07d13368  fffffa80`07d13ae8 fffffa80`07d45c28
fffffa80`07d13ae8  fffffa80`07d787e8 fffffa80`07d13368
fffffa80`07d787e8  fffffa80`07d65c28 fffffa80`07d13ae8
fffffa80`07d65c28  fffffa80`07d63368 fffffa80`07d787e8
fffffa80`07d63368  fffffa80`07d63c28 fffffa80`07d65c28
fffffa80`07d63c28  fffffa80`091c2368 fffffa80`07d63368
fffffa80`091c2368  fffffa80`091eb7e8 fffffa80`07d63c28
fffffa80`091eb7e8  fffffa80`07428c28 fffffa80`091c2368
fffffa80`07428c28  fffffa80`0742dc28 fffffa80`091eb7e8
fffffa80`0742dc28  fffffa80`0742ac28 fffffa80`07428c28
fffffa80`0742ac28  fffffa80`07463c28 fffffa80`0742dc28
The first entry is the System Process, which we can confirm:
 1: kd> dt nt!_EPROCESS ActiveProcessLinks.Blink poi(PsInitialSystemProcess)
   +0x2e8 ActiveProcessLinks       :  [ 0xfffffa80`067aec28 - 0xfffff801`530acc80 ]
      +0x008 Blink                    : 0xfffff801`530acc80 _LIST_ENTRY [ 0xfffffa80`03088328 - 0xfffffa80`0a0b1828 ]
From here, we can walk along the linked list to confirm whether or not it is corrupt:

1: kd> !validatelist fffff801`530acc80
Found list end after 118 entries
It's not corrupt, however, I don't believe this implies that a rootkit is not present on the system, and that it hasn't been modified.

For now, that's about it regarding this post! I just wanted to share my findings thus far. I will have to wait until the user has a chance to run addition recommended scans, such as GMER. I am almost certain in this case that we have a rootkit present, but you never want to be too sure.

Thanks for reading!

References/extra reading:

http://books.google.com/books?id=ENnSA91Bt_4C&dq=zwenumeratekey+rootkit&source=gbs_navlinks_s

http://books.google.com/books?id=VvFlEmS57LQC&dq=NtEnumerateKey&source=gbs_navlinks_s

http://bsodtutorials.blogspot.com/2014/01/rootkits-direct-kernel-object.html

Monday, May 19, 2014

800 answers on MS Answers

I hit 800 answers today on MS Answers! 200 more until 1000! :~)

Wednesday, May 14, 2014

Fast Startup - How to disable if it's causing problems, troubleshooting, etc

Hi everyone,

This morning I woke up from bed as I had to go to the bathroom before getting back into bed and drifting back off to a nice sleep. As I come back into my bedroom, I notice that my PC is still on. I say to myself 'Huh, I swear I remember shutting down'. With that, I shut down again and got up to walk back to my bed. As I am walking back to my bed, I hear my PC turn on again (fans start spinning, etc). I turn around and rub my eyes a little bit to be sure I'm not going completely insane from recent lack of sleep, but it really did turn itself back on.

Right, so at this point I shift from 'please let me go to sleep' mode, to '...sigh, I am now extremely tired and have shifted into troubleshooting' mode. At first, I thought right away that something (likely driver/device related) was preventing my system from shutting down. I then thought to myself for a moment and said 'Well, if it's a driver, I'd likely be getting an 0x9F bug check', etc. Also, this was a very random/brand new problem that didn't occur/happen the day before, etc. With that, I figured possibly just a bug within a Windows power option, etc. As I am very cautious with my own PC, I wanted to extra sure.

---------------------------

So there are many things I could have done in this situation to find out what was causing my PC to not shut down properly. For example, being the debugger that I am, and having a love for debugging as much as I do, I could have ran an XPERF trace and see if there's anything out of the ordinary, such as high disk write/read usage coming from a particular source, a suspended driver, whatever it may be.

However, given the fact that my #1 goal was to go back to bed as fast as humanly possible, I settled for another extremely useful command using the following steps:

1. Get an Elevated CMD running by running Command Prompt as Administrator.

2. Once Elevated CMD is open, type powercfg -energy.

This command will go ahead and perform a 60 second analysis of the computer’s energy consumption and provide you with a report at the following directory: %systemroot%\Windows\System32\energy-report.html

Once I had done that, I navigated to the appropriate directory and viewed the .html. Side note on this, for what it's worth, I couldn't view the .html within Firefox or Internet Explorer. I've read users having similar issues. Given this was the fact in my case, I simply shrugged and settled for sifting through lots of garble in Notepad (because again, I really just wanted to go back to bed).

---------------------------

First off, perusing through the log I saw the following:

<div class="log-entry-header">System Availability Requests:System Required Request</div>

<div class="log-entry-content">

<div class="log-entry-description">The program has made a request to prevent the system from automatically entering sleep.</div>

<table>

<tr>

<td><span class="detail-name">Requesting Process</span></td>

<td>\Device\HarddiskVolume2\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe</td>
This wasn't the actual problem, and instead this was due to the fact that a Malwarebytes scan was running, therefore it requested that the system halt going to sleep, shutting down, etc, until the scan was complete. Again, if/when the scan completed, the system still wouldn't shut down as this was not the true problem. This is merely an example of how detailed this log can actually be.

Reading further, we see what we're really looking for:

<div class="log-entry-header">USB Suspend:USB Device not Entering Selective Suspend</div>

<div class="log-entry-content">

<div class="log-entry-description">This device did not enter the USB Selective Suspend state.  Processor power management may be prevented when this USB device is not in the Selective Suspend state.</div>

<table>

<tr>

<td><span class="detail-name">Device Name</span></td>

<td>USB Input Device</td>

</tr>

<tr>

<td><span class="detail-name">Host Controller ID</span></td>

<td>PCI\VEN_8086&amp;DEV_1C26</td>
From this, we can see that a USB-based device is not entering selective suspend. Normally, this does not stop the system from sleeping/shutting down (AFAIK), however, in this case it surely was. The USB selective suspend feature allows the hub driver to suspend an individual port without affecting the operation of the other ports on the hub. In my case, I have a USB hub on my Das keyboard which houses two devices (Logitech Webcam and a YubiKey).

We can see that we have a Vendor/Device ID. With this,we'll head over to our trusty PCI database - http://www.pcidatabase.com/ and see what device this is.

To make a long story short, the USB-based device in my case was my Logitech USB Camera (HD Webcam C510). I don't exactly have an answer as to why it wouldn't enter the selective suspend state, but I can imagine it's either:

1. Webcam software didn't properly terminate from prior usage.

2. The hub on my Das keyboard itself isn't exactly 'great', therefore it may have just been a small hub bug/issue.

3. Fast Startup not cooperating with my USB hub devices (and their drivers). This was my issue.

---------------------------

Alternatively, another way to solve it (permanently in case yours happens frequently... like mine) is to disable Fast Startup. If you're on a desktop with decent hardware, then disabling Fast Startup really won't make too much of a noticeable difference. Besides, in my case when I wake up in the morning, I turn on my PC and walk away to complete my morning routine before getting on the PC. With that said, in my case, it's not entirely necessary.

To expand on what exactly Fast Startup is, fast startup is a hybrid combination of a cold startup and a wake-from-hibernation startup. Frequently, kernel-mode device drivers need to distinguish fast startups from wake-from-hibernation so that that their devices behave as users expect. This is exactly where my issue stemmed from, because my webcam drivers evidently couldn't distinguish properly.

During a cold startup, the boot loader constructs a kernel memory image by loading the sections of the Windows kernel file into memory and linking them. Next, the kernel configures core system functions, enumerates the devices attached to the computer, and loads drivers for them.

In contrast, a fast startup simply loads the hibernation file (Hiberfil.sys) into memory to restore the previously saved image of the Windows kernel and loaded drivers. A fast startup tends to take significantly less time than a cold startup.

More information (and much more in-depth) here.

1. Navigate to Start by either clicking the Start icon or hitting the Windows key.

2. In the Search bar, type Power to bring up various Power Options.

3. Select Change what the power buttons do.

4.

If you have UAC enabled (enabled by default unless you disable it manually), before un-checking Turn on fast startup, you'll need to select Change settings that are currently unavailable. Once you do that, you will be able to successfully un-check Turn on fast startup.

After you've unchecked Turn on fast startup, your next shut down will this time actually shut down the system if you're having the issues described above.

Hope you enjoyed reading!

Monday, May 12, 2014

0x19 Debugging

I've been busy lately so it has been hard to have a sit down and write a proper debugging blog post! I'm here now relaxing before bed, so I figured no better time to go ahead and write a nice post! In today's post we're going to discuss debugging the 0x19 bug check, however debugging this type of bug check also has similarities to 0xC5/0xC2 bug checks as well.

---------------------------

Right, so as always, here's the basic bug check information:

BAD_POOL_HEADER (19)

This indicates that a pool header is corrupt.

Great, so now that we know that, what is pool, and what is bad/went wrong here? This bug check has a lot to do with Windows' memory management, which is pretty complicated. There's a lot of different parts to it, but only a few we really need to discuss for this bug check.

First off, let's discuss pool. What is pool? Well, pool is kernel-mode memory that is used as storage space for drivers. Memory is organized into pages, and a page of memory is usually/typically ~4KB. Windows' memory manager breaks this 4KB of memory up into various smaller 'blocks', some being as small as ~8 bytes. When it comes to 0x19 debugging, we end up looking exactly at these blocks mentioned above. The pool header is used to provide information about the allocation, such as the size/owner of the pool allocation.

Let's take a look at the parameters of the bug check:

BugCheck 19, {d, ffffe000109e288f, 8e83b75113111670, 168e83b751131109}
The 1st parameter of the bug check in our case here is 0xD which indicates the pool header of a freed block has been modified after it was freed. This is not typically the fault of the prior owner of the freed block; instead it is usually (but not always) due to the block preceding the freed block being overrun. The other three parameters are reserved, and to my knowledge, for pool entries/addresses.

Let's go ahead and run !pool on the 2nd parameter of the bug check:

1: kd> !pool ffffe000109e288f
Pool page ffffe000109e288f region is GetUlongFromAddress: unable to read from fffff802f49cb208
Nonpaged pool
 ffffe000109e2000 size:  250 previous size:    0  (Allocated)  klxm
 ffffe000109e2250 size:   80 previous size:  250  (Free)       Free
 ffffe000109e22d0 size:   c0 previous size:   80  (Allocated)  KLWc
 ffffe000109e2390 size:   e0 previous size:   c0  (Allocated)  klpt
 ffffe000109e2470 size:   50 previous size:   e0  (Allocated)  KLWp
 ffffe000109e24c0 size:   90 previous size:   50  (Allocated)  KLWe
 ffffe000109e2550 size:   e0 previous size:   90  (Allocated)  klpt
 ffffe000109e2630 size:   30 previous size:   e0  (Free)       Free
 ffffe000109e2660 size:   c0 previous size:   30  (Allocated)  KLWc
 ffffe000109e2720 size:   90 previous size:   c0  (Allocated)  KLPS
 ffffe000109e27b0 size:   90 previous size:   90  (Free )  KLWe
*ffffe000109e2840 size:   50 previous size:   90  (Free)      *KLWp
        Owning component : Unknown (update pooltag.txt)
 ffffe000109e2890 size:   50 previous size:   50  (Free )  KLWp
 ffffe000109e28e0 size:   30 previous size:   50  (Free)       Free
 ffffe000109e2910 size:   50 previous size:   30  (Allocated)  KLWp
 ffffe000109e2960 size:   c0 previous size:   50  (Allocated)  KLWc
 ffffe000109e2a20 size:   80 previous size:   c0  (Allocated)  KLip
 ffffe000109e2aa0 size:   90 previous size:   80  (Allocated)  KLWe
 ffffe000109e2b30 size:   80 previous size:   90  (Allocated)  KLip
 ffffe000109e2bb0 size:   10 previous size:   80  (Free)       Free
 ffffe000109e2bc0 size:   a0 previous size:   10  (Allocated)  dlib
 ffffe000109e2c60 size:   50 previous size:   a0  (Allocated)  KLWp
 ffffe000109e2cb0 size:   30 previous size:   50  (Free)       Free
 ffffe000109e2ce0 size:   50 previous size:   30  (Allocated)  KLWp
 ffffe000109e2d30 size:   80 previous size:   50  (Allocated)  KLip
 ffffe000109e2db0 size:   90 previous size:   80  (Allocated)  KLWe
 ffffe000109e2e40 size:  100 previous size:   90  (Allocated)  KLWc
 ffffe000109e2f40 size:   c0 previous size:  100  (Allocated)  KLWc
Above we can see the blocks we discussed above earlier. Now, what are all those letters at the end? Good question! Those are pool tags. What exactly is a pool tag? Well, a pool tag is a four-byte character that is associated with a dynamically allocated chunk of pool memory. Notice how we have klxm (4), Free (4), KLWc (4), etc. All are 4. No more, no less. The tag is specified by a driver when it allocates the memory.

Notice that in our case for the owning component it says:

*ffffe000109e2840 size:   50 previous size:   90  (Free)      *KLWp
        Owning component : Unknown (update pooltag.txt)
The reason for this is due to the fact that pooltag.txt only contains kernel-mode components and drivers supplied with Windows. If the driver is 3rd party, it may have a tag thanks to the developer and/or manufacturer, however, it will not be in pooltag.txt. This is a pretty big clue that a 3rd party driver is causing corruption in your case if this is what you see.

In our case, this is exactly the case. klxm, KLWc, KLPS, KLWE, etc, are all pool tags relating to the klif.sys driver. We can also confirm this by dumping the call stack:

1: kd> k
Child-SP          RetAddr           Call Site
ffffd000`21512a38 fffff802`f4910167 nt!KeBugCheckEx
ffffd000`21512a40 fffff802`f490fa03 nt!ExFreePoolWithTag+0xe97
ffffd000`21512ac0 fffff800`014380f3 nt!ExFreePoolWithTag+0x733
ffffd000`21512b90 fffff802`f467e000 klif+0x380f3
ffffd000`21512b98 ffffe000`1090bde0 nt!_guard_check_icall_fptr <PERF> (nt+0x0)
ffffd000`21512ba0 ffffe000`004514e0 0xffffe000`1090bde0
ffffd000`21512ba8 00000000`6d734c4b 0xffffe000`004514e0
ffffd000`21512bb0 fffff800`0237bd60 0x6d734c4b
ffffd000`21512bb8 00000000`00000004 klflt+0xed60
ffffd000`21512bc0 00000000`00000080 0x4
ffffd000`21512bc8 fffff800`02393f51 0x80
ffffd000`21512bd0 ffffe000`00453390 klflt+0x26f51
ffffd000`21512bd8 ffffe000`004514e0 0xffffe000`00453390
ffffd000`21512be0 ffffe000`0048e870 0xffffe000`004514e0
ffffd000`21512be8 ffffe000`00453390 0xffffe000`0048e870
ffffd000`21512bf0 00000000`00000000 0xffffe000`00453390
We can see klif.sys calls into the nt!ExFreePoolWithTag routine which deallocates a block of pool memory allocated with the specified tag. We can see directly afterwards the bug check was called because the pool header of the freed block has been modified after it was freed, thus the reason I believe it was called twice in this instance.

With this said, what's the klif.sys driver? It's a Kaspersky driver, although I cannot find any documentation on what specifically this driver is in charge of.

-- You can find out what driver(s) belong to what pool tag(s) if they are 3rd party by doing the following:

1. Run CMD, preferably as admin (Elevated).

2. Change your directory to the drivers folder -- Example: cd %systemroot%\system32\drivers

3. findstr /m /l <tag> *.sys

Obviously replace <tag> with your tag -- So for example, findstr /m /l KLWp *.sys.

---------------------------

Right, so now that we've established that Kaspersky is the problem here, I advised the user to be confirm that removing Kaspersky stopped this problem (it did). Given that the problem didn't exist with Kaspersky removed, the user contacted Kaspersky, and I imagine they either attempted provided a workaround of some sort, or the user simply removed Kaspersky.

Hope you enjoyed reading!

References/extra reading:

http://blogs.technet.com/b/yongrhee/archive/2009/06/24/pool-tag-list.aspx
http://blogs.technet.com/b/askperf/archive/2008/04/11/an-introduction-to-pool-tags.aspx
http://msdn.microsoft.com/en-us/library/windows/hardware/ff557389%28v=vs.85%29.aspx
http://blogs.msdn.com/b/ntdebugging/archive/2013/06/14/understanding-pool-corruption-part-1-buffer-overflows.aspx



Friday, May 9, 2014

[SOLVED] SYSTEM_SERVICE_EXCEPTION / PAGE_FAULT_IN_NONPAGED_AREA

Link to solved thread - Windows 7 Blue Screen Issues With Alt-tabbing From WoW

What the issue was - 


 - Asus bloatware needed to be removed.

- avast! needed to be removed and replaced with MSE.

[SOLVED] BAD_POOL_CALLER

Link to solved thread - BSOD BAD_POOL_CALLER 0x000000C2 halmacpi.dll

What the issue was -
McAfee was removed and replaced with MSE.

[SOLVED] DPC_WATCHDOG_VIOLATION / KERNEL_SECURITY_CHECK_FAILURE / DRIVER_POWER_STATE_FAILURE

Link to solved thread - BSOD - KERNEL_SECURITY_CHECK_ERROR and DPC_WATCHDOG_VIOLATION

What the issue was - 


- ADLESDAC.sys needed to be renamed to .old.

- Norton needed to be removed and replaced Windows Defender.

- Western Digital SES (SCSI Enclosure Services) needed to be removed.

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - Error code: "DRIVER_IRQL_NOT_LESS_OR_EQUAL (tmusa.sys)

What the issue was -
Trend Micro needed to be removed and replaced with Windows Defender.

[SOLVED] IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - Can you diagnose these minidumps?

What the issue was -
Kaspersky + McAfee were both installed on the system at the same time which implies interceptor conflicts. Both were removed and replaced with Windows Defender.

[SOLVED] BAD_POOL_HEADER

Link to solved thread - Windows 8.1 getting constant BAD_POOL_HEADER when Kaspersky Internet Security 2014 is enabled.

What the issue was -
Kaspersky needed to be removed/the user contacted Kaspersky for a workaround.

[SOLVED] SYSTEM_SERVICE_EXCEPTION

Link to solved thread - Windows has recovered from an unexpected shutdown (BSOD)

What the issue was - 


- Service Pack 1 needed to be installed.

- Latest video card drivers needed to be installed.

- Norton needed to be removed and replaced with MSE.

- Eltima Software USB to Ethernet Connector driver needed to be updated (or removed if no update available).

[SOLVED] BAD_POOL_CALLER / WDF_VIOLATION

Link to solved thread - bad_pool_caller BSOD windows 8.1 pro

What the issue was -
Ralink RT2870 series USB802.11n Wireless Adapter driver needed to be updated (and if that did not work, the adapter removed).

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - Windows 8.1 BSOD problem
 

What the issue was - Qualcomm Atheros AR9485WB-EG Wireless Network Adapter driver needed to be updated.

[SOLVED] DRIVER_POWER_STATE_FAILURE

Link to solved thread - BSOD DRIVER_POWER_STATE FAILURE 0x1000009f ntoskrnl.exe

What the issue was - 


- AODDriver2.sys bloatware needed to be removed.

- Asus bloatware needed to be removed.

- Avira needed to be removed and replaced with MSE.

[SOLVED] BAD_POOL_CALLER

Link to solved thread - BSOD and Audio Issues

What the issue was -
Aventail VPN Adapter software needed to be removed.

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - BSOD driver_irql_not_less_or_equal (Netio.sys) windows 8.1

What the issue was - 


- Avira needed to be removed and replaced with Windows Defender.

- PACE needed to be removed.

- Asus bloatware needed to be removed.

[SOLVED] SYSTEM_SERVICE_EXCEPTION / PAGE_FAULT_IN_NONPAGED_AREA / DRIVER_VERIFIER_DETECTED_VIOLATION

Link to solved thread - Lots of ntoskernl.exe Bsods, why?

What the issue was - 


- PACE needed to be removed.

- AODDriver2.sys needed to be removed (whether it was Overdrive or Gigabyte bloatware).

[SOLVED] DPC_WATCHDOG_VIOLATION

Link to solved thread - Suspected BSODs on Windows 8.1 0x00000133

What the issue was - 


- Latest video card drivers needed to be installed.

- Overclocks stopped and set to defaults.

[SOLVED] DRIVER_POWER_STATE_FAILURE

Link to solved thread - BSOD - Windows 8 Driver Power State Failure

What the issue was - 


- Bluetooth drivers needed to be updated.

- McAfee needed to be removed and replaced with Windows Defender.

[SOLVED] WHEA_UNCORRECTABLE_ERROR

Link to solved thread - whea uncorrectable error.. windows 8.1 OC blue screen

What the issue was -
Overclock was unstable, therefore system was returned to defaults.

[SOLVED] BAD_SYSTEM_CONFIG_INFO

Link to solved thread - random BSOD at start up - ntoskrnl.exe+75bc0

What the issue was -
Registry was beyond corrupted (no surprise with this bug check), therefore Windows was clean installed.

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - BSOD irql less or equal windows 8.1 igdkm64.sys

What the issue was - 


- Latest video card drivers needed to be installed.

- Razer drivers needed to be updated.

- Asus bloatware needed to be removed.

- ExpressCache needed to be removed.

- LUM Runtime needed to be removed.

[SOLVED] MULTIPLE_IRP_COMPLETE_REQUESTS

Link to solved thread - Windows 8.1 MULTIPLE_IRP_COMPLETE_REQUESTS Blue Screen of Death

What the issue was -
Atheros Bluetooth drivers needed to be updated.

[SOLVED] BAD_POOL_HEADER / SYSTEM_SERVICE_EXCEPTION

Link to solved thread - Need help with BSOD! Appreciate any kind of help.

What the issue was - 


- Latest video card drivers needed to be installed.

- AVG needed to be removed and replaced with MSE.

- GPU-z needed to be removed.

- RivaTuner/EVGA Precision/MSI Afterburner needed to be removed.

[SOLVED] PFN_LIST_CORRUPT

Link to solved thread - BSOD 0x0000004E

What the issue was -
MagicISO needed to be removed.

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL / BAD_POOL_CALLER

Link to solved thread - Blue Screen errors in Windows 8.1

What the issue was -
Norton needed to be removed and replaced with Windows Defender.

[SOLVED] SYSTEM_SERVICE_EXCEPTION

Link to solved thread - Windows 8 64-bit system service exception error (BSOD)

What the issue was -
Latest video card drivers/beta needed to be installed.

[SOLVED] KERNEL_SECURITY_CHECK_FAILURE

Link to solved thread - Kernel_Security_Check_Failure

What the issue was -
Gigabyte bloatware needed to be removed.

[SOLVED] SYSTEM_SERVICE_EXCEPTION

Link to solved thread - Random BSODs win32k.sys 0x3b

What the issue was - 


- Asus bloatware needed to be removed.

- Video card drivers needed to be updated.

[SOLVED] SYSTEM_SERVICE_EXCEPTION

Link to solved thread - Random BSOD - Win 8.1 win32k.sys

What the issue was - 


- ASRock bloatware needed to be removed.

- avast! needed to be removed and replaced with Windows Defender.

- Daemon Tools needed to be removed.

- cFosSpeed - The Internet Accelerator needed to be removed.

- Video card drivers needed to be updated.

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - BSOD with NETIO.SYS

What the issue was -
Windows was reformatted.

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - BSOD tap0901.sys

What the issue was -
COMODO needed to be removed.

[SOLVED] CRITICAL_OBJECT_TERMINATION

Link to solved thread - Blue Screening Problem.

What the issue was -
Either the installation media was bad or the HDD was faulty.

[SOLVED] DPC_WATCHDOG_VIOLATION

Link to solved thread - DPC_WATCHDOG_VIOLATION

What the issue was -
AVG needed to be removed and replaced with Windows Defender.

[SOLVED] IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - IRQL_NOT_LESS_OR_EQUAL BSOD

What the issue was -
Dritek System Inc. PS/2 KB to HID Device driver needed to be updated/removed.

[SOLVED] DRIVER_POWER_STATE_FAILURE

Link to solved thread - BSOD everytime shutdown/reboot/sleep/hibernate

What the issue was -
Connectify needed to be removed.

[SOLVED] PAGE_FAULT_IN_NONPAGED_AREA

Link to solved thread - BSOD - see log files

What the issue was - 


- avast! needed to be removed and replaced with Windows Defender.

- Daemon Tools needed to be removed.

[SOLVED] DRIVER_IRQL_NOT_LESS_OR_EQUAL

Link to solved thread - iastora.sys BSOD

What the issue was -
IRST needed to be updated to its latest version.

[SOLVED] MEMORY_MANAGEMENT

Link to solved thread - blue screen Memory Management windows 8.1

What the issue was - 


- Bitdefender needed to be removed and replaced with Windows Defender.

- Connectify needed to be removed.

[SOLVED] SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M

Link to solved thread - BSOD System Thread Exception Not Handled

What the issue was -
Windows was ultimately reinstalled and upgraded to Windows 8.

[SOLVED] DPC_WATCHDOG_VIOLATION

Link to solved thread - Random blue screens in Windows 8.1 (DPC_WATCHDOG_VIOLATION)

What the issue was - 


- Asus bloatware needed to be removed.

- Daemon Tools needed to be removed.