WDF_VIOLATION when install/refresh/reset

rakkarage · 28 Apr 2015

Been using Windows 10 since it was released with no major problems.

On 10061 I got some malware (russian game website open in browser on boot) so i tried to use Settings->Reset/Refresh but it just BSOD and reset without changing anything.

So I reinstalled Windows twice (9926/10041) and get two BSOD during install.

I searched for days and tried many anti-virus and anti-rootkit software but found nothing. How can this problem persist after resinstall? no one else seems to have this problem with windows 10.

Some malware must persist on another (ESP) partition?

Attachment 17934

I tried to use Windows Defender Offline but got this error:

Attachment 17933

I don't know... Argh... Please help. Thank you.

Attachment 17932

usasma · 29 Apr 2015

First off, the Secure Boot files are damaged - so that's going to give you problems right from the start.
I'd do the following:
- ensure that you have a set of uncorrupted recovery disks/drive
- run DBAN on the boot drive. Disconnect all other drives
- clear/reset the CMOS
- flash the UEFI with the latest version available from Dell

I'm not an expert w/Secure Boot, so I'd suggest posting over in the General Discussion forums for more advice on this.
Ensure that you download all the appropriate drivers from the Dell website (there are several that are missing in the current installation (SMBus, USB, network). Here's an article from a year ago about bootkits and UEFI: New attacks defeat Secure Boot and brick PCs | PCWorld

EDIT: Link to bootkit scanners: bootkit scanner - Google Search

It appears that the SynRMIHID.sys driver is being blamed (in the WER section of MSINFO32 - not in the dump files) - please update the Synaptics Touchpad drivers for your system if this continues.

Another test would be to run Driver Verifier with these settings: Driver Verifier Settings
ALSO, enable checking of the Wdf01000.sys as it was involved in these crashes.

Analysis:
The following is for informational purposes only.

Code:

**************************Tue Apr 28 19:33:40.203 2015 (UTC - 4:00)**************************
Loading Dump File [C:\Users\John\SysnativeBSODApps\042815-39765-01.dmp]
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 8 Kernel Version 10061 MP (4 procs) Free x64
Built by: 10061.0.amd64fre.fbl_impressive.150410-2039
System Uptime:0 days 0:09:42.929
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
*** WARNING: Unable to verify timestamp for Wdf01000.sys
*** ERROR: Module load completed but symbols could not be loaded for Wdf01000.sys
Probably caused by :Wdf01000.sys ( Wdf01000+31406 )
BugCheck 10D, {5, 0, 100a, ffffe00181ea6e20}
BugCheck Info: WDF_VIOLATION (10d)
Arguments: 
Arg1: 0000000000000005, A framework object handle of the incorrect type was passed to
    a framework object method.
Arg2: 0000000000000000, The handle value passed in.
Arg3: 000000000000100a, Reserved.
Arg4: ffffe00181ea6e20, Reserved.
BUGCHECK_STR:  0x10D_5
FAILURE_BUCKET_ID: WRONG_SYMBOLS
CPUID:        "Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz"
MaxSpeed:     2200
CurrentSpeed: 2195
  BIOS Version                  A01
  BIOS Release Date             11/04/2014
  Manufacturer                  Dell Inc.
  Product Name                  Inspiron 5749
  Baseboard Product             0CC96W
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Tue Apr 28 19:11:55.058 2015 (UTC - 4:00)**************************
Loading Dump File [C:\Users\John\SysnativeBSODApps\042815-39125-01.dmp]
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 8 Kernel Version 10061 MP (4 procs) Free x64
Built by: 10061.0.amd64fre.fbl_impressive.150410-2039
System Uptime:0 days 0:05:21.086
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
*** WARNING: Unable to verify timestamp for Wdf01000.sys
*** ERROR: Module load completed but symbols could not be loaded for Wdf01000.sys
Probably caused by :Wdf01000.sys ( Wdf01000+31406 )
BugCheck 10D, {5, 0, 100a, ffffe0003dee5d00}
BugCheck Info: WDF_VIOLATION (10d)
Arguments: 
Arg1: 0000000000000005, A framework object handle of the incorrect type was passed to
    a framework object method.
Arg2: 0000000000000000, The handle value passed in.
Arg3: 000000000000100a, Reserved.
Arg4: ffffe0003dee5d00, Reserved.
BUGCHECK_STR:  0x10D_5
FAILURE_BUCKET_ID: WRONG_SYMBOLS
CPUID:        "Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz"
MaxSpeed:     2200
CurrentSpeed: 2195
  BIOS Version                  A01
  BIOS Release Date             11/04/2014
  Manufacturer                  Dell Inc.
  Product Name                  Inspiron 5749
  Baseboard Product             0CC96W
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``

3rd Party Drivers:
The following is for information purposes only.
Any drivers in red should be updated or removed from your system. And should have been discussed in the body of my post.

Code:

**************************Tue Apr 28 19:33:40.203 2015 (UTC - 4:00)**************************
DellRbtn.sys                Fri Aug  3 17:32:54 2012 (501C4386)
iaLPSS_UART2.sys            Mon Apr  7 04:08:26 2014 (53425CFA)
TeeDriverx64.sys            Tue Sep 23 16:01:14 2014 (5421D18A)
iaLPSSi_I2C.sys             Mon Feb  2 04:00:08 2015 (54CF3C98)
iaLPSSi_GPIO.sys            Mon Feb  2 04:00:09 2015 (54CF3C99)
igdkmd64.sys                Mon Feb  9 15:32:05 2015 (54D91945)
RTKVHD64.sys                Mon Mar  2 04:57:24 2015 (54F43404)
SynTP.sys                   Fri Mar  6 17:30:56 2015 (54FA2AA0)
SynRMIHID.sys               Fri Mar  6 17:31:28 2015 (54FA2AC0)
rt640x64.sys                Wed Apr  1 10:34:31 2015 (551C01F7)
intelppm.sys                Sat Apr 11 01:48:19 2015 (5528B5A3)
WindowsTrustedRTProxy.sys   Sat Apr 11 01:49:50 2015 (5528B5FE)
WindowsTrustedRT.sys        Sat Apr 11 01:49:52 2015 (5528B600)
filecrypt.sys               Sat Apr 11 01:53:19 2015 (5528B6CF)
mirahid.sys                 Sat Apr 11 01:58:43 2015 (5528B813)
storqosflt.sys              Sat Apr 11 02:00:42 2015 (5528B88A)
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Tue Apr 28 19:11:55.058 2015 (UTC - 4:00)**************************
SiSRaid2.sys                Wed Sep 24 14:28:20 2008 (48DA86C4)
sisraid4.sys                Wed Oct  1 17:56:04 2008 (48E3F1F4)
iaStorV.sys                 Mon Apr 11 14:48:16 2011 (4DA34CF0)
stexstor.sys                Mon Nov 26 19:02:51 2012 (50B4032B)
amdsbs.sys                  Tue Dec 11 16:21:44 2012 (50C7A3E8)
vstxraid.sys                Mon Jan 21 14:00:28 2013 (50FD904C)
bxvbda.sys                  Mon Feb  4 14:47:18 2013 (51101046)
lsi_sss.sys                 Fri Mar 15 19:39:38 2013 (5143B13A)
HpSAMD.sys                  Tue Mar 26 17:36:54 2013 (515214F6)
3ware.sys                   Thu Apr 11 18:49:23 2013 (51673DF3)
megasr.sys                  Mon Jun  3 18:02:39 2013 (51AD127F)
ADP80XX.SYS                 Fri Jul 12 17:47:36 2013 (51E07978)
nvraid.sys                  Mon Apr 21 14:28:42 2014 (5355635A)
nvstor.sys                  Mon Apr 21 14:34:03 2014 (5355649B)
vsmraid.sys                 Tue Apr 22 15:21:41 2014 (5356C145)
mvumis.sys                  Fri May 23 16:39:04 2014 (537FB1E8)
lsi_sas3i.sys               Wed Sep 10 19:05:56 2014 (5410D954)
arcsas.sys                  Thu Oct 16 14:38:26 2014 (544010A2)
evbda.sys                   Mon Jan 12 05:29:16 2015 (54B3A1FC)
percsas3i.sys               Wed Feb  4 17:52:41 2015 (54D2A2B9)
amdsata.sys                 Thu Feb  5 16:37:12 2015 (54D3E288)
amdxata.sys                 Thu Feb  5 17:37:47 2015 (54D3F0BB)
percsas2i.sys               Thu Feb  5 17:51:05 2015 (54D3F3D9)
iaStorAV.sys                Thu Feb 19 07:08:39 2015 (54E5D247)
megasas.sys                 Wed Mar  4 21:36:29 2015 (54F7C12D)
lsi_sas2i.sys               Tue Mar 17 21:53:03 2015 (5508DA7F)
lsi_sas.sys                 Tue Mar 17 23:15:52 2015 (5508EDE8)
intelide.sys                Sat Apr 11 01:50:48 2015 (5528B638)
agp440.sys                  Sat Apr 11 02:11:42 2015 (5528BB1E)
nv_agp.sys                  Sat Apr 11 02:11:42 2015 (5528BB1E)

rakkarage · 29 Apr 2015

thanks for the help

does windows 10 require secure boot and or uefi?
can i just disable secure boot and enable legacy bios and delete the 3 system partitons (ESP, OEM, MSR) and reinstall windows?

i would rather be able to boot with a bootkit then brick without for now

the only recovery media i have is a windows 10 cd

usasma · 30 Apr 2015

One of the most common suggestions on the Internet is to disable Secure Boot.
As long as you understand the consequences of booting without Secure Boot, go ahead and try it.

rakkarage · 04 May 2015

disabled secure boot and installed some other oses ok
when formatting an empty drive in uefi mode windows will offer to create special partitions (restore, efi, ms, and one for windows)
at this point to make secure boot work again i guess you need to save the secure variables to the disk from the bios?

then to stop windows 10 from BSOD with WDF_VIOLATION each time i disabled the automatic driver updates and overwrites from "Advanced System Settings->Hardware->Device Installation Settings"

Attachment 18424

this lets you install and keep the river you want instead of being overwritten by a potentially buggy one from windows update
in my case a buggy synaptics driver (the one from dell website seems to work)
i think, idk seems to work finally
thanks