Bug check analysis help

******************************************************************************** *
* Bugcheck Analysis *
* *
*******************************************************************************


CRITICAL_PROCESS_DIED (ef)
A critical system process died
Arguments:
Arg1: ffff99818d6477c0, Process object or thread object
Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died.
Arg3: 0000000000000000
Arg4: 0000000000000000


Debugging Details:
------------------


Unable to open image file: C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\sym\ntkrnlmp.exe\59327910889000\ntkrnlmp.exe
The system cannot find the file specified.




PROCESS_OBJECT: ffff99818d6477c0


IMAGE_NAME: svchost.exe


DEBUG_FLR_IMAGE_TIMESTAMP: 0


MODULE_NAME: svchost


FAULTING_MODULE: 0000000000000000


PROCESS_NAME: System


BUGCHECK_STR: 0xEF_System


DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT


CURRENT_IRQL: 0


ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre


LAST_CONTROL_TRANSFER: from fffff801b48f7f51 to fffff801b43843f0


STACK_TEXT:
ffff8281`cb400798 fffff801`b48f7f51 : 00000000`000000ef ffff9981`8d6477c0 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
ffff8281`cb4007a0 fffff801`b4833a6d : ffff9981`8d6477c0 00000000`00000001 ffff9981`8d6477c0 00000000`00000000 : nt!PspCatchCriticalBreak+0xc9
ffff8281`cb4007f0 fffff801`b47130f6 : ffff9981`00000000 ffff9981`8d6477c0 00000000`00000001 ffff9981`8d6477c0 : nt!PspTerminateAllThreads+0x120871
ffff8281`cb400860 fffff801`b4712eb7 : ffffffff`ffffffff ffff9981`8d6477c0 ffff9981`874d5400 fffffff6`00000000 : nt!PspTerminateProcess+0xde
ffff8281`cb4008a0 fffff801`b438f313 : ffff9981`8d6477c0 ffff9981`8e9b3040 ffff8281`cb400990 ffff9981`9109a280 : nt!NtTerminateProcess+0xa7
ffff8281`cb400910 fffff801`b43875d0 : fffff801`c94f6525 fffff801`c9548d30 ffff9981`9109a280 ffff8281`cee1cac0 : nt!KiSystemServiceCopyEnd+0x13
ffff8281`cb400aa8 fffff801`c94f6525 : fffff801`c9548d30 ffff9981`9109a280 ffff8281`cee1cac0 ffff8281`cb400b58 : nt!KiServiceLinkage
ffff8281`cb400ab0 fffff801`c9514441 : ffff8281`00000000 ffff8281`ce57c4c8 ffff9981`9109a280 00000000`00000000 : atc+0x86525
ffff8281`cb400ae0 fffff801`b42f4a37 : 00000000`00000000 ffff9981`8e9b3040 fffff801`c9514324 ffff9981`874d5400 : atc+0xa4441
ffff8281`cb400b90 fffff801`b4389876 : ffff8281`c83e4180 ffff9981`8e9b3040 fffff801`b42f49f0 00000000`00000246 : nt!PspSystemThreadStartup+0x47
ffff8281`cb400be0 00000000`00000000 : ffff8281`cb401000 ffff8281`cb3fa000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16




STACK_COMMAND: kb


FOLLOWUP_NAME: MachineOwner


IMAGE_VERSION:


FAILURE_BUCKET_ID: 0xEF_System_IMAGE_svchost.exe


BUCKET_ID: 0xEF_System_IMAGE_svchost.exe


ANALYSIS_SOURCE: KM


FAILURE_ID_HASH_STRING: km:0xef_system_image_svchost.exe


FAILURE_ID_HASH: {645c15b0-f31a-d2b7-1e8c-2e4bc0bcb7fb}


Followup: MachineOwner
---------

My computer restarted out of the blue while I was out. I was hoping if somebody could tell me what happened. windows backup image was causing scheduled system crashes before so I stopped using that and moved on to 3rd party apps like Aomie backup. From what I can guess it's not that this time, as there wasn't any backup by the app or by windows as it's disabled.

Help would be appreciated :)

Please read and follow the instructions here: Blue Screen of Death (BSOD) Posting Instructions

So this is the first time I had a blue screen while using the computer, I was watching a movie when I paused it the system suddenly had bluescreen saying critical process died.

While in the background there is a bunch of things going on logged in the event viewer.
Before the Kernal power Event 41 there is bunch of things (In order new to old, counting from top to bottom)

Failed with 0x490 modifying AppModel Runtime status for package Microsoft.WindowsStore_11705.1001.21.0_x64__8wekyb3d8bbwe for user SHARIF-PC\shari (current status = 0x0, desired status = 0x20).

The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user SHARIF-PC\shari SID (S-1-5-21-2029802980-4020693458-1611481750-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool.

Another one

Faulting application name: vsserv.exe, version: 1.0.8.3, time stamp: 0x590aee7fFaulting module name: ntdll.dll, version: 10.0.15063.0, time stamp: 0xb79b6ddbException code: 0xc000000dFault offset: 0x0000000000105a50Faulting process id: 0xd88Faulting application start time: 0x01d2eadd0396a8bdFaulting application path: C:\Program Files\Bitdefender Antivirus Free\vsserv.exeFaulting module path: C:\WINDOWS\SYSTEM32\ntdll.dllReport Id: d7c619cf-58cf-4444-98db-e18f967b46cfFaulting package full name: Faulting package-relative application ID:

Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.. This is often caused by incorrect security settings in either the writer or requestor process. Operation: Gathering Writer DataContext: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {d5dc5a6c-c202-469b-9ce4-3cb3b2a8149f}

Session "P2PLog" stopped due to the following error: 0xC0000188

The maximum file size for session "P2PLog" has been reached. As a result, events might be lost (not logged) to file "C:\WINDOWS\Logs\Homegroup\p2p.etl". The maximum files size is currently set to 5242880 bytes.

Few more minutes back this happened as well
Intel(R) Ethernet Connection (2) I219-V
Network link is disconnected.

I noticed shadow copy in here if I connect the dots of windows image backup causing crashes.....frankly I am just coming to uncertain conclusions right now

I would really appreciate it if I get a response

Edit
I just realised my quotes aren't being that useful, I just attached the updated attachment with the recent BSOD

zbook said:

Code:

BugCheck EF, {ffffbd8dab6127c0, 0, 0, 0}*** WARNING: Unable to verify timestamp for atc.sys*** ERROR: Module load completed but symbols could not be loaded for atc.sys----- ETW minidump data unavailable-----Probably caused by : svchost.exe

Code:

BugCheck EF, {ffff99818d6477c0, 0, 0, 0}*** WARNING: Unable to verify timestamp for atc.sys*** ERROR: Module load completed but symbols could not be loaded for atc.sys----- ETW minidump data unavailable-----Probably caused by : svchost.exe

Code:

BugCheck 1E, {ffffffffc000001d, fffff80939db7003, ffff8985ce89d080, 200000}*** WARNING: Unable to verify checksum for win32k.sysProbably caused by : memory_corruption

Code:

BugCheck 1E, {ffffffffc000001d, fffff802926a7003, ffffce8bec98f080, 200000}*** WARNING: Unable to verify checksum for win32k.sysProbably caused by : memory_corruption

Code:

BugCheck 1E, {ffffffffc000001d, fffff802d75bd008, ffffd48b46736140, 7ffffffffffffffc}*** WARNING: Unable to verify checksum for win32k.sysProbably caused by : memory_corruption

Code:

BugCheck 3B, {c0000005, fffff8027d0f7bf8, ffffb101440bbcc0, 0}*** WARNING: Unable to verify checksum for win32k.sysProbably caused by : memory_corruption

Code:

The system failed to flush data to the transaction log. Corruption may occur in VolumeId: D:, DeviceName: \Device\HarddiskVolume6.(A device which does not exist was specified.)

Code:

The system failed to flush data to the transaction log. Corruption may occur in VolumeId: D:, DeviceName: \Device\HarddiskVolume6.(A device which does not exist was specified.)

Code:

{Delayed Write Failed} Windows was unable to save all the data for the file \System Volume Information\smartdb_Volume{58b6d0ed-0000-0000-007e-000000000000}.sdb. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Open administrative command prompt and type or copy and paste:


1) winver (in the pop up about windows > view your windows version and build > type this information into the thread)


2) sfc /scannow


3) dism /online /cleanup-image /restorehealth


4) chkdsk /scan


When these have completed > right click on the top bar or title bar of the administrative command prompt box > left click on edit then select all > right click on the top bar again > left click on copy > paste into the thread




5) Run memtest86+ version 5.01 for at least 8 runs. This may take hours so plan to run it overnight.http://www.memtest.org/https://answe...f-ecc7b7ff6461

When memtest86+ has completed 8 or more runs please use the snipping tool to make an image and post into the thread.

6) Uninstall all bitdefender software

7) Use the bitdefender uninstall software to remove any remaining software.
Uninstall Bitdefender

8) Use windows defender until the bsod troubleshooting is completed.

9) Uninstall Dragon Age Inquisition software and reinstall it when bsod troubleshooting is completed.

10) perform windows updates and post any failed KB# with error code.

1- Version 1703 (OS Build 15063.413)
2 - Done
3 - In the process of doing the rest, will probably respond tomorrow that mem test will need to be done overnight
4 -

Microsoft Windows [Version 10.0.15063](c) 2017 Microsoft Corporation. All rights reserved.


C:\WINDOWS\system32>dism /online /cleanup-image /restorehealth


Deployment Image Servicing and Management tool
Version: 10.0.15063.0


Image Version: 10.0.15063.0


[==========================100.0%==========================] The restore operation completed successfully.
The operation completed successfully.


C:\WINDOWS\system32>chkdsk /scan
The type of the file system is NTFS.
Volume label is SSD.


Stage 1: Examining basic file system structure ...
446208 file records processed.
File verification completed.
11672 large file records processed.
0 bad file records processed.


Stage 2: Examining file name linkage ...
547356 index entries processed.
Index verification completed.
0 unindexed files scanned.
0 unindexed files recovered to lost and found.


Stage 3: Examining security descriptors ...
Security descriptor verification completed.
50575 data files processed.
CHKDSK is verifying Usn Journal...
126191160 USN bytes processed.
Usn Journal verification completed.


Windows has scanned the file system and found no problems.
No further action is required.


116639743 KB total disk space.
69991008 KB in 270119 files.
156888 KB in 50576 indexes.
0 KB in bad sectors.
646095 KB in use by the system.
65536 KB occupied by the log file.
45845752 KB available on disk.


4096 bytes in each allocation unit.
29159935 total allocation units on disk.
11461438 allocation units available on disk.


C:\WINDOWS\system32>sfc /scannow


Beginning system scan. This process will take some time.


Beginning verification phase of system scan.
Verification 100% complete.


Windows Resource Protection did not find any integrity violations.


C:\WINDOWS\system32>

Sorry for not dong it in order, I already ran sfc scannow yesterday (It was the opposite of the current result and told me to restart and all)

Regarding number 9, I remember uninstalling rather deleting it long back and can't seem to be able to find it. (I ended up deleting it as I wasn't able to find the uninstaller and ended up going barbarian...)
How do I go on getting rid of it's remains?

Regarding 10, there is like 20+ of these with the same failed to install date

2017-05 Cumulative Update for Windows 10 Version 1703 for x64-based Systems (KB4020102)
Failed to install on 15-Jun-17

Weird after checking that, it changed from restart may be required to system is up to date

The mem test went smoothly, I was hoping 8 passes would be done by the time I wake up max I got was 5 (Image attached)