Occasional BSOD - Only Mssense.exe Dump Files written


  1. Posts : 3
    Windows 10
       #1

    Occasional BSOD - Only Mssense.exe Dump Files written


    For months now, I've had occasional BSOD's. Initially they were due to a critical process dying. I have cured most of those by re-formatting the system drive, re-installing Win 10, and turning off Win Defender and Malwarebytes (using Bitdefender). Malewarebytes, Hitman and Bitdefender find now malware on my system. Now I get a BSOD once every day or so with nothing written to my dump folder. However, I see dump files being written to another folder with names like "MsSense.exe.2688.protected.dmp" that my WhoCrashed and Win SDK crash dump can't read. Event viewer shows 1 to 3 of these files being written at each occurrence. These BSOD's typically happen when I leave my computer running unattended for an hour or so. I will either find it has rebooted or get the BSOD when I sit down again and move the mouse. My system event logs show a number of errors on booting which I cannot understand. Hopefully someone with more smarts can help me.
      My Computer


  2. Posts : 545
    seL4
       #2

    Does the following file exist: "C:\Windows\MEMORY.dmp"? If so, and if it was created recently, please compress it and upload it to a file sharing site so we can take a look at it.

    From the event logs I am seeing some disk and controller errors, I'd suggest testing your disks with HDTune as well as updating the chipset drivers for your system.

    Here are some examples of the errors in the event log.
    Code:
    Event[2522]:
      Log Name: System
      Source: Disk
      Date: 2017-08-17T16:08:59.955
      Event ID: 153
      Task: N/A
      Level: Warning
      Opcode: N/A
      Keyword: Classic
      User: N/A
      User Name: N/A
      Computer: Jupiter
      Description: 
    The IO operation at logical block address 0x5b974890 for Disk 3 (PDO name: \Device\00000042) was retried.
    Disk 3 is your Seagate 4TB drive.

    Code:
    Event[848]:
      Log Name: System
      Source: storahci
      Date: 2017-08-09T18:05:22.592
      Event ID: 129
      Task: N/A
      Level: Warning
      Opcode: N/A
      Keyword: Classic
      User: N/A
      User Name: N/A
      Computer: Jupiter
      Description: 
    Reset to device, \Device\RaidPort1, was issued.

    Regarding the crash dumps you did upload, MSSense.exe.<PID>.protected.dmp are crash dumps of Windows Defender, the "protected" comes from the fact that Windows Defender processes run as Protected Processes (Light). This also means that the crash dumps are encrypted and cannot be opened by 3rd parties.
      My Computer


  3. Posts : 41,412
    windows 10 professional version 1607 build 14393.969 64 bit
       #3

    In addition to the above steps outlined by Spectrum above please perform these steps:

    1) open administrative command prompt and type or copy and paste:
    2) sfc /scannow
    3) dism /online /cleanup-image /restorehealth

    4) When these have completed > right click on the top bar or title bar of the administrative command prompt box > left click on edit then select all > right click on the top bar again > left click on edit then copy > paste into the thread

    4) chkdsk /x /f /r
    This may take many hours so plan to run overnight.
    5) Open event.vwr to view the chkdsk results and post the results into the thread:
    Read Chkdsk Log in Event Viewer in Windows 10 Windows 10 Performance Maintenance Tutorials

    6) Uninstall and reinstall the Nvidia graphics driver: nvlddmkm.sys


    The best way to fix the misbehaving Nvidia driver is to uninstall everything Nvidia using Display driver uninstaller and install new drivers from the computer manufacturer's website or from the Nvidia website.


    The computer manufacturer's web site is preferred. Enter the computer's serial or product number and the operating system to view available drivers.


    If you use the Nvidia web site be sure the "clean install" box is checked and only install the graphics driver and the physx driver.


    Official Display Driver Uninstaller DDU Download


    Display Driver Uninstaller Download version 17.0.7.2


    Display Driver Uninstaller: How to use - Windows 7 Help Forums


    NVIDIA


    Code:
    9/6/2017 12:23 AM    Windows Error Reporting    Fault bucket LKD_0x141_Tdr:6_IMAGE_nvlddmkm.sys_Kepler_3D, type 0
    Event Name: LiveKernelEvent
    Response: Not available
    Cab Id: 9a0b0327-5d97-4f6d-9bed-70ff00dad755
    
    Problem signature:
    P1: 141
    P2: ffffb00b854d44a0
    P3: fffff809d1fdf44c
    P4: 0
    P5: 1a38
    P6: 10_0_15063
    P7: 0_0
    P8: 256_1
    P9: 
    P10: 
    
    Attached files:
    \\?\C:\WINDOWS\LiveKernelReports\WATCHDOG\WATCHDOG-20170905-2023.dmp
    \\?\C:\Windows\Temp\WER-5754875-0.sysdata.xml
    \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEDF.tmp.WERInternalMetadata.xml
    \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEDF.tmp.csv
    \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEFF.tmp.txt
    \\?\C:\Windows\Temp\WER13D.tmp.WERDataCollectionStatus.txt
    
    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Kernel_141_a0a972ad907729332653f1939e59dfdda626c6_00000000_cab_26e002d2
    
    Analysis symbol: 
    Rechecking for solution: 0
    Report Id: dbda1c99-797b-4749-9386-3a5f36383d76
    Report Status: 268435456
    Hashed bucket:
      My Computer


  4. Posts : 3
    Windows 10
    Thread Starter
       #4

    Spectrumand zbook, thanks to both of you for the help.
    Spectrum,"C:\Windows\MEMORY.dmp"doesn't exist. I set Windows to dump to "C:\Windows\Mini.dmp"and it does if I get a BSOD for something like a critical process has died.

    Spectrum's keen eye finding the " The IO operation at logical block address 0x5b974890 for Disk 3 (PDO name: \Device\00000042) was retried. " error caused me to Google it for a solution. The fix is at http://www.pwrusr.com/system-adminis...sk-was-retried I ran the command "“bcdedit /set disabledynamicktick yes” as recommended there and rebooted. My computer has run for over 24 hours straight with no problem. I think the problem is fixed. THANK YOU SPECTRUM!
      My Computer


  5. Posts : 41,412
    windows 10 professional version 1607 build 14393.969 64 bit
       #5

    We have not yet been able to debug the minidump and memory.dmp files to troubleshot the BSOD as the minidump were encrypted.

    1) in the left lower corner search type: system > open system control panel > in the left pane click advanced system settings > click on startup and recovery settings > post an image into the thread

    2) See what you can do to modify the encrypting > post a new DM log collector zip > so that we can debug and throubleshoot the mini dump files

    3) open file explorer > this pc > local c: drive > in the right upper corner search type: C:\Windows\MEMORY.DMP
    Please post an image of the results.

    4) Download and install whocrashed
    http://www.resplendence.com/whocrashed
    Above analyze click on tools > crash dump test > type: ACCEPT >
    After the crash dump test click analyze > post the results into the thread
    Post a new zip: BSOD - Posting Instructions - Windows 10 Forums
    When the DM log collector finds the mini dump logs please allow it to collect so that the mini dumps are not encrypted and will allow us to troubleshoot them.

    5) When available please post the results from post #3.
      My Computer


  6. Posts : 3
    Windows 10
    Thread Starter
       #6

    Start Up and Recovery


    zbook,

    I've attached a jpg of my Start Up and Recovery pane. I've set memory dumps to go to the folder "Minidumps" in my Windows directory. Normal crash dumps usually show up there. The Mssense.exe dumps do not. I copied some of the Mssense.exe dumps there previously to see if WhoCrashed could read them. It can't. Windows SDK crash dump can't read them either. The Mssense.exe dumps are encrypted as I learned and Spectrum noted. Apparently they get sent to Microsoft so they can see what they screwed up without letting anyone else know.

    Anyway, as I noted in a prior response that must have crossed with yours, the crash problem is fixed. I've been running for 48 hours now with no problems. My start up is around 30 seconds with a few errors showing in event logs, but nothing that seems to be causing any symptoms.

    Thanks again for your help.
      My Computer


  7. Posts : 41,412
    windows 10 professional version 1607 build 14393.969 64 bit
       #7

    Which steps were you able to complete in posts #3 and what were the results?

    Read Chkdsk Log in Event Viewer in Windows 10 Windows 10 Performance Maintenance Tutorials

    Which antivirus products are always on?
    Bitdefender
    Windows defender
    Malwarebytes

    Please check to see which are currently on and off.


    When the encryption is off it may be easier to troubleshoot other problems displayed in the event logs:

    Code:
    Event[7415]:  Log Name: System
      Source: Service Control Manager
      Date: 2017-09-08T10:26:50.640
      Event ID: 7034
      Task: N/A
      Level: Error
      Opcode: N/A
      Keyword: Classic
      User: N/A
      User Name: N/A
      Computer: Jupiter
      Description: 
    The Windows Defender Advanced Threat Protection Service service terminated unexpectedly.  It has done this 3 time(s).
    Code:
    Event[7414]:  Log Name: System
      Source: Application Popup
      Date: 2017-09-08T10:26:50.330
      Event ID: 26
      Task: N/A
      Level: Information
      Opcode: Info
      Keyword: N/A
      User: S-1-5-18
      User Name: NT AUTHORITY\SYSTEM
      Computer: Jupiter
      Description: 
    Application popup: Windows - Bad Image : Exception Processing Message 0xc000007b Parameters 0x7ffb8c551718 0xffffffffc0000428 0x7ffb8c551718 0x7ffb8c551718
    Code:
    Event[7403]:  Log Name: System
      Source: Application Popup
      Date: 2017-09-08T10:24:47.945
      Event ID: 26
      Task: N/A
      Level: Information
      Opcode: Info
      Keyword: N/A
      User: S-1-5-18
      User Name: NT AUTHORITY\SYSTEM
      Computer: Jupiter
      Description: 
    Application popup: Windows - Bad Image : Exception Processing Message 0xc000007b Parameters 0x7ffb8c551718 0xffffffffc0000428 0x7ffb8c551718 0x7ffb8c551718
    
    
    Event[7404]:
      Log Name: System
      Source: Service Control Manager
      Date: 2017-09-08T10:24:48.745
      Event ID: 7034
      Task: N/A
      Level: Error
      Opcode: N/A
      Keyword: Classic
      User: N/A
      User Name: N/A
      Computer: Jupiter
      Description: 
    The Windows Image Acquisition (WIA) service terminated unexpectedly.  It has done this 1 time(s).

    Code:
    bdprivmon    bdprivmon              bdprivmon              File System   Boot       Stopped    OK         FALSE       FALSE        4,096             8,192       0          5/9/2017 8:59:18 AM    C:\WINDOWS\system32\DRIVERS\bdprivmon.sys
    Code:
    Event[7398]:  Log Name: System
      Source: Service Control Manager
      Date: 2017-09-08T10:24:45.528
      Event ID: 7026
      Task: N/A
      Level: Information
      Opcode: N/A
      Keyword: Classic
      User: N/A
      User Name: N/A
      Computer: Jupiter
      Description: 
    The following boot-start or system-start driver(s) did not load: 
    bdprivmon
    dam
    EhStorClass
    Code:
    Event[7386]:  Log Name: System
      Source: BTHUSB
      Date: 2017-09-08T10:24:43.531
      Event ID: 34
      Task: N/A
      Level: Warning
      Opcode: N/A
      Keyword: Classic
      User: N/A
      User Name: N/A
      Computer: Jupiter
      Description: 
    The local adapter does not support an important Low Energy controller state to support peripheral mode.  The minimum required supported state mask is 0x491f7fffff, got 0x1fffffff.  Low Energy peripheral role functionality will not be available.

    Code:
    Event[7385]:  Log Name: System
      Source: Microsoft-Windows-Directory-Services-SAM
      Date: 2017-09-08T10:24:43.435
      Event ID: 16962
      Task: N/A
      Level: Information
      Opcode: Info
      Keyword: N/A
      User: S-1-5-18
      User Name: NT AUTHORITY\SYSTEM
      Computer: Jupiter
      Description: 
    Remote calls to the SAM database are being restricted using the default security descriptor: O:SYG:SYD:(A;;RC;;;BA).
    For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.
    Code:
    Event[7326]:  Log Name: System
      Source: Service Control Manager
      Date: 2017-09-07T22:06:16.815
      Event ID: 7034
      Task: N/A
      Level: Error
      Opcode: N/A
      Keyword: Classic
      User: N/A
      User Name: N/A
      Computer: Jupiter
      Description: 
    The Windows Defender Advanced Threat Protection Service service terminated unexpectedly.  It has done this 3 time(s).
    Code:
    Event[7323]:  Log Name: System
      Source: Application Popup
      Date: 2017-09-07T22:05:14.486
      Event ID: 26
      Task: N/A
      Level: Information
      Opcode: Info
      Keyword: N/A
      User: S-1-5-18
      User Name: NT AUTHORITY\SYSTEM
      Computer: Jupiter
      Description: 
    Application popup: Windows - Bad Image : Exception Processing Message 0xc000007b Parameters 0x7ffd58921718 0xffffffffc0000428 0x7ffd58921718 0x7ffd58921718
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 11:03.
Find Us




Windows 10 Forums