BSOD on startup every day - Trying to identify specific causation

Question

Hi all,

For the past week or so I've been experiencing BSODs whenever I power on the computer first during the day; after we REACH the Windows splash screen, I have no further issues, even when restarting.

rom reviewing the Event Logs I can see one in there stating the following:

"The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly."
followed closely by:
"The driver \Driver\WudfRd failed to load for the device PCI\VEN_5853&DEV_1003\1&1a590e2c&0&03."

So far as far as causation goes, this is the only thing throwing flags, as I've successfully performed Windows Memory Diagnostics with no issues being found, system file checks with no corruption being found, and lastly checking in on the device manager and checking all tabs to ensure nothing in there is throwing errors. As far as I can tell, these issues began this week.

I know that this week I plugged in a new keyboard that is different to that of my old one, and in doing so I needed to download some more drivers for it, however I went from a Roccat Aimo 120 to a Roccat Aimo 100, to which the only real difference is the fact that the 100 doesn't have a hand wrest with the keyboard. Besides that, it doesn't appear any different specification wise, so I'm unclear on whether this is the cause. I also changed my power plan on the rig from Balanced to Performance, though I don't expect this to be the cause.

Originally I believed perhaps that drivers were the issue, however, now I'm not so sure.

To cut a long story short, I ran a bugcheck analysis using the Windows Debug tools which threw me the following:

12: kd> !analyze -v
***

    *
    Bugcheck Analysis *
    *

***

MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000041792, A corrupt PTE has been detected. Parameter 2 contains the address of
the PTE. Parameters 3/4 contain the low/high parts of the PTE.
Arg2: ffff83816716da08
Arg3: 0000800000000000
Arg4: 0000000000000000

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 3249

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 10478

Key : Analysis.Init.CPU.mSec
Value: 1249

Key : Analysis.Init.Elapsed.mSec
Value: 65592

Key : Analysis.Memory.CommitPeak.Mb
Value: 73

Key : MemoryManagement.PFN
Value: 800000000

Key : WER.OS.Branch
Value: vb_release

Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key : WER.OS.Version
Value: 10.0.19041.1


BUGCHECK_CODE: 1a

BUGCHECK_P1: 41792

BUGCHECK_P2: ffff83816716da08

BUGCHECK_P3: 800000000000

BUGCHECK_P4: 0

MEMORY_CORRUPTOR: ONE_BIT

BLACKBOXNTFS: 1 (!blackboxntfs)


CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: autochk.exe

STACK_TEXT:
ffff988d4679f388 fffff8054624423a : 000000000000001a 0000000000041792 ffff83816716da08 0000800000000000 : nt!KeBugCheckEx
ffff988d4679f390 fffff80546242a6f : ffff8688b7883700 0000000000000000 ffff868800000002 0000000000000000 : nt!MiDeleteVa+0x153a
ffff988d4679f490 fffff80546212c10 : 0000000000000001 ffff988d00000000 ffff8688b7883550 ffff8688b7910080 : nt!MiDeletePagablePteRange+0x48f
ffff988d4679f7a0 fffff80546252277 : 000000002ce2db4f 0000000000000000 ffff868800000000 fffff80500000000 : nt!MiDeleteVad+0x360
ffff988d4679f8b0 fffff805465f908c : ffff988d00000000 0000000000000000 ffff988d4679fa10 000002ce2db30000 : nt!MiFreeVadRange+0xa3
ffff988d4679f910 fffff805465f8b65 : 00007ff70784b980 000002ce44f49e50 ffff988d4679fad8 0000000000000000 : nt!MmFreeVirtualMemory+0x4ec
ffff988d4679fa60 fffff80546408bb8 : ffff8688b7910080 ffff868800000001 0000000000000000 ffff868800000000 : nt!NtFreeVirtualMemory+0x95
ffff988d4679fac0 00007ffa4676d134 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28
000000e2f757a4b8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffa`4676d134


MODULE_NAME: hardware

IMAGE_NAME: memory_corruption

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BIT

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {e3faf315-c3d0-81db-819a-6c43d23c63a7}

Followup: MachineOwner

I work in tech, but I am by no means a master, and to be frank, I don't know what I'm reading here. I can gather that it is telling me that there's something wrong with memory, in that it's seeing corruption, but other than that I'm honestly not too sure.

Here's the event log that prompted me finding these issues:

Event ID 1001

The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001a (0x0000000000041792, 0xffff83816716da08, 0x0000800000000000, 0x0000000000000000). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 15812135-3f48-42c4-b474-5b9fd5a5cf7e.

If there's any more information required, please don't hesitate to ask and I will do my best to gather it for you.

Answer 1

In case you are able to boot into the system, then perform a Clean Boot and see if the problem persist, take a look at:
https://support.microsoft.com/en-us/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd
If not, you may enable services one by one to see which one is causing the problem.
Are you facing the same issue in the Safe Mode too?

Answer 2

Hello,
Are you running Citrix Software?
The PNP id VEN_5853&DEV_1003\1&1a590e2c&0&03 you mention is for a Citrix Indirect Display Adapter.
Maybe try disabling this as a test to see if you get the same error message

Answer 3

Please run the V2 log collector and post a share link into this thread using one drive, drop box, or google drive:
https://www.windowsq.com/t/bsod-posting-instructions.17/
https://www.windowsq.com/resources/v2-log-collector.8/
https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html

%
%
%
%
%

The Microsoft Q&A email notifications are not working in my account.
A thread was opened in the feedback area.
To date there has been to fix.
So there likely will no longer be a fast reply to posts.
And posts may be missed.
Comments can be made in the feedback thread to indicate that a post was made.

.
.
.
.
.
Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post: Vote = a helpful post
.
.
.
.
.

Answer 4

Please perform the following steps:
(some may have been performed earlier in the troubleshooting)

1) Open administrative command prompt and type or copy and paste:

sfc /scannow
dism /online /cleanup-image /restorehealth

When these have completed > right click on the top bar or title bar of the administrative command box > left click on edit then select all > right click on the top bar again > left click on edit then copy > paste into this thread

2) Open administrative command prompt and type or copy and paste: (all at one time)

wmic recoveros set autoreboot = false
wmic recoveros set debuginfotype = 7
wmic recoveros get autoreboot
wmic recoveros get debuginfotype
wmic computersystem where name=%computername% set automaticmanagedpagefile=true
wmic computersystem where name=%computername% get automaticmanagedpagefile
bcdedit /enum {badmemory}
powercfg -h off

When these have completed > right click on the top bar or title bar of the administrative command box > left click on edit then select all > right click on the top bar again > left click on edit then copy > paste into this thread

3) Open administrative command prompt and type or copy and paste:

chkdsk /r /v W:
(change W to the applicable drive letter: C or D)
(test all drives)
(the windows drive testing can be performed overnight)

C:\WINDOWS\system32>chkdsk /r /v C:
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process. Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N)

(type: y)

https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html
https://www.tenforums.com/tutorials/2859-enable-disable-hibernate-windows-10-a.html
https://www.tenforums.com/tutorials/40734-drive-error-checking-windows-10-a.html
https://www.tenforums.com/tutorials/40822-read-chkdsk-log-event-viewer-windows-10-a.html

4) Run Memtest86 for two tests of four passes:

https://www.memtest86.com/

Repeat the test so that there are a total of eight passes.

Find a camera or smartphone camera to take pictures and post images into this thread.

For any problems posting images please use share links.

Memtest86 has a feature to view a text report.

Please post both images and text reports.

5) Uninstall and reinstall:
e1r68x64.sys
Intel(R) I211 Gigabit Network Connection

Name [00000001] Intel(R) I211 Gigabit Network Connection
Adapter Type Ethernet 802.3
Product Type Intel(R) I211 Gigabit Network Connection
PNP Device ID PCI\VEN_8086&DEV_1539&SUBSYS_85F01043&REV_03\6&2AD155D1&0&0028000A
Driver C:\WINDOWS\SYSTEM32\DRIVERS\E1R68X64.SYS (12.18.11.1, 579.37 KB (593,272 bytes), 13/07/2021 22:03)

e1rexpress Intel(R) PCI Express Network Connection Driver R c:\windows\system32\drivers\e1r68x64.sys

6) For any new BSOD after performing all of the above steps run V2 and post a share link into this thread.

.
.
.
.
.
Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post: Vote = a helpful post
.
.
.
.
.

Answer 5

There are settings that can be modified to increase the likelihood that crashes are witnessed by the end user.
And that when these crashes occur they create dump files that are more useful for those providing help.

When using the default Windows setting it can be easy to miss BSOD.
The default setting is to automatically restart after a BSOD.

The modified setting unchecks automatically restart.
The end user now can view the BSOD screen with :(
Sometimes it may display a misbehaving driver.

There are various types of settings for when a BSOD occurs.
The 7 is for automatic.
The goal is to create a dump file that can be shared using a share link.
Some settings do not allow the creation of a memory dump.
Other settings allow the creation of a very large dump file that cannot be easily shared.

The next two commands are to check that the settings were properly modified.

The next command makes sure that the page file is automatically managed.

The next command checks to see that it had been properly modified.

The next command checks to see whether windows had predicted RAM would fail.

The final command turns off hibernation which also turns off Windows fast startup.

Some of the dump files had reported: The disk subsystem returned corrupt data while reading from the hibernation file.

All of the above steps should be maintained during the troubleshooting process.

When troubleshooting has completed you are free to modify any of the settings to your preferences.

In addition to the above steps please post images of each of these windows:
a) startup and recovery system failure settings
b) virtual memory / page file settings

If you need instructions on how to open these windows steps can be provided.

.
.
.
.
.
Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post: Vote = a helpful post
.
.
.
.
.