0x7f Error with Trend Micro Worry Free

[Mike]

Hi all,

I'm getting a 0x7f (stop error/bsod) after I install Trend Micro Worry Free.
More specifically I can reboot once (sometimes) and not get the error, but
after it's been installed for 30 minutes or so by the 2nd reboot it produces
a 0x7f Stop error when booting. Symantec AV Corp Ed v10.x and McAfee TOPs
have both been on the system in the past but have been removed using their
uninstallers AND their special uninstall utilities (separate from built-in
uninstaller).

The following are what I've found through troubleshooting:

-I can boot to safe mode. (however safe mode with network support produces
0x7f Stop Error)

-Trend Micro Technical Support examined dump file and said the following
"...the memory dump is pointing a crash on a core windows component.
File "ntkrnlmp.exe" based on some research is related to core Windows driver
and is an indication of a hardware problem..."

-From Safe mode I can uninstall Trend Micro and Windows will then
immediately boot normally. This is why I think this is not hardware
related. This is very re-producible.

-Trend Micro Tech Support also suggested this hotfix
http://support.microsoft.com/kb/961775, but when I downloaded I found the
files contained in that hotfix (tds.sys and afd.sys) were verions
6.0.6001.22374 and my files (on Vista SP2) are 6.0.6002.18005. I had this
issue when I was running Vista SP1 so I installed Vista SP2 and the issue
followed. Due to what I saw in file versions I thought it best to NOT run
this hotfix.


Any suggestions are appreciated!

Thanks,
Mike

 

[Mike]

Please don't reply with posts that don't provide a solution or suggestion to
the issue.

No offense, but I didn't request alternative AV/AS solutions. If I did, I
would have stated requirements such as centralized management, deployment,
low resource usage, etc and your suggestions would not meet them.

 

[Gene E. Bloch]

Please don't reply with posts that don't provide a solution or suggestion to
the issue.

No offense, but I didn't request alternative AV/AS solutions. If I did, I
would have stated requirements such as centralized management, deployment,
low resource usage, etc and your suggestions would not meet them.

No offense, but your problem seems to come under the rubric of
"Doctor, it hurts when I do this."
"Then don't do it."

 

[Andy Huang]

Replace with PC Tools Spyware Doctor & Symantec Antivirus.

 

[Andy Huang]

i meant Norton

 

[Mike]

Gene, I don't think you understood my last post. This forum is for
technical collaboration, not useless cliche.

 

[Michael]

This isn't a forum. It's a Usenet newsgroup, and Andy Huang is a known
unemployed, gay, friendless troll who you should pay no attention to.
--

Don't pick a fight with an old man.
If he is too old to fight, he'll just kill you.

Gene, I don't think you understood my last post. This forum is for
technical collaboration, not useless cliche.

 

[Guest]

From Debugging Tools for Windows

Bug Check 0x7F: UNEXPECTED_KERNEL_MODE_TRAP
The UNEXPECTED_KERNEL_MODE_TRAP bug check has a value of 0x0000007F. This
indicates that a trap was generated by the Intel CPU and the kernel failed
to catch this trap.

This could be either a bound trap (a trap the kernel is not permitted to
catch) or a double fault (a fault that occurred while processing an earlier
fault, which always results in a system crash).


Parameters
The first parameter displayed on the blue screen specifies the trap number.

Here are some of the most common trap codes:

0x00000000, or Divide by Zero Error, is caused when a DIV instruction is
executed and the divisor is zero. Memory corruption, other hardware
problems, or software failures can cause this error.
0x00000004, or Overflow, occurs when the processor executes a call to an
interrupt handler when the overflow (OF) flag is set.
0x00000005, or Bounds Check Fault, is generated when the processor, while
executing a BOUND instruction, finds the operand exceeds the specified
limits. A BOUND instruction is used to ensure that a signed array index is
within a certain range.
0x00000006, or Invalid Opcode, is generated when the processor attempts to
execute an invalid instruction. This is generally caused when the
instruction pointer has become corrupted and is pointing to the wrong
location. The most common cause of this is hardware memory corruption.
0x00000008, or Double Fault, is when an exception occurs while trying to
call the handler for a prior exception. Normally, the two exceptions can be
handled serially. However, there are several exceptions that cannot be
handled serially, and in this situation the processor signals a double
fault. There are two common causes of a double fault:
A kernel stack overflow. This occurs when a guard page is hit, and then the
kernel tries to push a trap frame. Since there is no stack left, a stack
overflow results, causing the double fault. If you suspect this has
occurred, use !thread to determine the stack limits, and then use kb
(Display Stack Backtrace) with a large parameter (for example, kb 100) to
display the full stack.
A hardware problem.

The less-common trap codes include:

0x00000001 - A system-debugger call
0x00000003 - A debugger breakpoint
0x00000007 - A hardware coprocessor instruction with no coprocessor present
0x0000000A - A corrupted Task State Segment
0x0000000B - An access to a memory segment that was not present
0x0000000C - An access to memory beyond the limits of a stack
0x0000000D - An exception not covered by some other exception; a protection
fault that pertains to access violations for applications

For other trap numbers, consult an Intel architecture manual.

Cause
Bug check 0x7F usually occurs after the installation of faulty or mismatched
hardware (especially memory) or in the event that installed hardware fails.

A double fault can occur when the kernel stack overflows. This can happen if
multiple drivers are attached to the same stack. For example, two file
system filter drivers can be attached to the same stack and then the file
system can recurse back in, overflowing the stack.

Resolving the Problem
Debugging: Always begin with the !analyze extension.

If this is not sufficient, use the kv (Display Stack Backtrace) debugger
command.

If kv shows a taskGate, then use the .tss (Display Task State Segment)
command on the part before the colon.
If kv shows a trap frame, then use the .trap (Display Trap Frame) command to
format the frame.
Otherwise, use the .trap (Display Trap Frame) command on the appropriate
frame. (On x86 platforms, this frame is associated with the procedure
NT!KiTrap.)
After this, use kv again to display the new stack.

Troubleshooting: If hardware was recently added to the system, remove it to
see if the error recurs. If existing hardware has failed, remove or replace
the faulty component. Run hardware diagnostics supplied by the system
manufacturer, to determine which hardware component has failed. The memory
scanner is especially important; faulty or mismatched memory can cause this
bug check. For details on these procedures, see the owner's manual for your
computer. Check that all adapter cards in the computer are properly seated.
Use an ink eraser or an electrical contact treatment, available at
electronics supply stores, to ensure adapter card contacts are clean.

If the error appears on a newly installed system, check the availability of
updates for the BIOS, the SCSI controller or network cards. Updates of this
kind are typically available on the Web site or BBS of the hardware
manufacturer.

Confirm that all hard disks, hard disk controllers, and SCSI adapters are
listed in the Microsoft Windows Marketplace Tested Products List.

If the error occurred after the installation of a new or updated device
driver, the driver should be removed or replaced. If, under this
circumstance, the error occurs during the startup sequence and the system
partition is formatted with NTFS, you might be able to use Safe Mode to
rename or delete the faulty driver. If the driver is used as part of the
system startup process in Safe Mode, you need to start the computer using
the Recovery Console in order to access the file. Also try restarting your
computer, and press F8 at the character-based menu that displays the
operating system choices. At the resulting Windows Advanced Options menu,
choose the Last Known Good Configuration option. This option is most
effective when only one driver or service is added at a time.

Overclocking (setting the CPU to run at speeds above the rated
specification) can cause this error. If this has been done to the computer
experiencing the error, return the CPU to the default clock speed setting.

Check the System Log in Event Viewer for additional error messages that
might help pinpoint the device or driver that is causing the error.
Disabling memory caching of the BIOS might also resolve it.

If you encountered this error while upgrading to a new version of Windows,
it might be caused by a device driver, a system service, a virus scanner, or
a backup tool that is incompatible with the new version. If possible, remove
all third-party device drivers and system services and disable any virus
scanners prior to upgrading. Contact the software manufacturer to obtain
updates of these tools. Also make sure that you have installed the latest
Windows Service Pack.

Finally, if all the above steps fail to resolve the error, take the system
motherboard to a repair facility for diagnostic testing. A crack, a
scratched trace, or a defective component on the motherboard can also cause
this error.



--
..
--

Gene, I don't think you understood my last post. This forum is for
technical collaboration, not useless cliche.

 

[Rick Rogers]

Hi Mike,

While I understand your request, the facts are:

a) The problem is clearly caused by Trend's software. You have proven this.

b) They (Trend) are unable or unwilling to resolve it. Errors in the NT
kernel are caused by software not following design parameters, bad
supporting driver files, or hardware (described here:
http://support.microsoft.com/kb/137539). The latter of these is unlikely
because as mentioned in (a), you have already isolated the cause.

c) You don't want alternative solutions.

Clearly no one here is going to know more about issues with Trend's software
and Vista than is Trend support. I'm not sure what you are expecting to get
out of your post. Support in this venue is supplied by other users.

If one thing doesn't work, try something else. If one company cannot resolve
issues with their software, try another until you get the level of
satisfaction you desire.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org
Vote for my shoe: http://rick-mvp.blogspot.com

 

[Mike]

Thank you very much for your helpful reply.

The trap code is 0x8 in this case. The information you provide is very
interesting. I originally started my troubleshooting looking for kernel
mode drivers I could eliminate thinking the kernel space was crowded based
on other research. This article
http://support.microsoft.com/kb/822789/en-us and the linked Symantec article
were what led me down that path.

I checked and there is an updated BIOS driver for my laptop (Compal IFL90).
I'll try that and then start with the Debugging Tools for Windows. I'll
post positive results if I reach a conclusion.

Thanks again for your help!
Mike

From Debugging Tools for Windows

Bug Check 0x7F: UNEXPECTED_KERNEL_MODE_TRAP
The UNEXPECTED_KERNEL_MODE_TRAP bug check has a value of 0x0000007F. This
indicates that a trap was generated by the Intel CPU and the kernel failed
to catch this trap.

This could be either a bound trap (a trap the kernel is not permitted to
catch) or a double fault (a fault that occurred while processing an
earlier fault, which always results in a system crash).


Parameters
The first parameter displayed on the blue screen specifies the trap
number.

Here are some of the most common trap codes:

0x00000000, or Divide by Zero Error, is caused when a DIV instruction is
executed and the divisor is zero. Memory corruption, other hardware
problems, or software failures can cause this error.
0x00000004, or Overflow, occurs when the processor executes a call to an
interrupt handler when the overflow (OF) flag is set.
0x00000005, or Bounds Check Fault, is generated when the processor, while
executing a BOUND instruction, finds the operand exceeds the specified
limits. A BOUND instruction is used to ensure that a signed array index is
within a certain range.
0x00000006, or Invalid Opcode, is generated when the processor attempts to
execute an invalid instruction. This is generally caused when the
instruction pointer has become corrupted and is pointing to the wrong
location. The most common cause of this is hardware memory corruption.
0x00000008, or Double Fault, is when an exception occurs while trying to
call the handler for a prior exception. Normally, the two exceptions can
be handled serially. However, there are several exceptions that cannot be
handled serially, and in this situation the processor signals a double
fault. There are two common causes of a double fault:
A kernel stack overflow. This occurs when a guard page is hit, and then
the kernel tries to push a trap frame. Since there is no stack left, a
stack overflow results, causing the double fault. If you suspect this has
occurred, use !thread to determine the stack limits, and then use kb
(Display Stack Backtrace) with a large parameter (for example, kb 100) to
display the full stack.
A hardware problem.

The less-common trap codes include:

0x00000001 - A system-debugger call
0x00000003 - A debugger breakpoint
0x00000007 - A hardware coprocessor instruction with no coprocessor
present
0x0000000A - A corrupted Task State Segment
0x0000000B - An access to a memory segment that was not present
0x0000000C - An access to memory beyond the limits of a stack
0x0000000D - An exception not covered by some other exception; a
protection fault that pertains to access violations for applications

For other trap numbers, consult an Intel architecture manual.

Cause
Bug check 0x7F usually occurs after the installation of faulty or
mismatched hardware (especially memory) or in the event that installed
hardware fails.

A double fault can occur when the kernel stack overflows. This can happen
if multiple drivers are attached to the same stack. For example, two file
system filter drivers can be attached to the same stack and then the file
system can recurse back in, overflowing the stack.

Resolving the Problem
Debugging: Always begin with the !analyze extension.

If this is not sufficient, use the kv (Display Stack Backtrace) debugger
command.

If kv shows a taskGate, then use the .tss (Display Task State Segment)
command on the part before the colon.
If kv shows a trap frame, then use the .trap (Display Trap Frame) command
to format the frame.
Otherwise, use the .trap (Display Trap Frame) command on the appropriate
frame. (On x86 platforms, this frame is associated with the procedure
NT!KiTrap.)
After this, use kv again to display the new stack.

Troubleshooting: If hardware was recently added to the system, remove it
to see if the error recurs. If existing hardware has failed, remove or
replace the faulty component. Run hardware diagnostics supplied by the
system manufacturer, to determine which hardware component has failed. The
memory scanner is especially important; faulty or mismatched memory can
cause this bug check. For details on these procedures, see the owner's
manual for your computer. Check that all adapter cards in the computer are
properly seated. Use an ink eraser or an electrical contact treatment,
available at electronics supply stores, to ensure adapter card contacts
are clean.

If the error appears on a newly installed system, check the availability
of updates for the BIOS, the SCSI controller or network cards. Updates of
this kind are typically available on the Web site or BBS of the hardware
manufacturer.

Confirm that all hard disks, hard disk controllers, and SCSI adapters are
listed in the Microsoft Windows Marketplace Tested Products List.

If the error occurred after the installation of a new or updated device
driver, the driver should be removed or replaced. If, under this
circumstance, the error occurs during the startup sequence and the system
partition is formatted with NTFS, you might be able to use Safe Mode to
rename or delete the faulty driver. If the driver is used as part of the
system startup process in Safe Mode, you need to start the computer using
the Recovery Console in order to access the file. Also try restarting your
computer, and press F8 at the character-based menu that displays the
operating system choices. At the resulting Windows Advanced Options menu,
choose the Last Known Good Configuration option. This option is most
effective when only one driver or service is added at a time.

Overclocking (setting the CPU to run at speeds above the rated
specification) can cause this error. If this has been done to the computer
experiencing the error, return the CPU to the default clock speed setting.

Check the System Log in Event Viewer for additional error messages that
might help pinpoint the device or driver that is causing the error.
Disabling memory caching of the BIOS might also resolve it.

If you encountered this error while upgrading to a new version of Windows,
it might be caused by a device driver, a system service, a virus scanner,
or a backup tool that is incompatible with the new version. If possible,
remove all third-party device drivers and system services and disable any
virus scanners prior to upgrading. Contact the software manufacturer to
obtain updates of these tools. Also make sure that you have installed the
latest Windows Service Pack.

Finally, if all the above steps fail to resolve the error, take the system
motherboard to a repair facility for diagnostic testing. A crack, a
scratched trace, or a defective component on the motherboard can also
cause this error.

 

[Mike]

Thanks for you reply Rick.

Like I said in this my other post I'll pursue a BIOS update as there is a
slightly newer version. The article you referenced also suggests BIOS
updates, but I don't think it's a hardware issue. I think it's most
specifically a kernel mode driver that may not have been removed that is no
longer necessary or just crowed kernel space from all drivers that are
present.

I do not completely agree with what you call the "facts". I agree Trend's
AV software brings out a shortcoming of Windows or this particular Windows
environment but there are ways to troubleshoot and that's what advice I was
looking for - how to troubleshoot. You say I wasn't looking for
"alternative solutions" but if you look back all I said is I didn't want an
alternative AV software solution. Not worthy of me repeating or you
creating a bulleted fact.

Alos, as a note to all who are looking for AV software I've been very
satisfied with Trend support. I'm demoing Trend because as a technical
consulting firm we're no longer happy with Symantec AV Corp Ed (good thru
v10, but crap in 11+) nor are we happy with McAfee. Trend support has
provided free and in-depth troubleshooting despite us not having purchased
their product. I believe this issue is fairly limited to my system. Trend
answers the phone call in about 5-10 minutes and starts good troubleshooting
immediately - Symantec would have me waiting on the phone for 3 hours and
McAfee 1st level support reads from a script.

 

[Guest]

I'd run Windows Memory DiagnosticTool to check your memory. Type memory in
Start's searchbox.

 

[Gene E. Bloch]

Gene, I don't think you understood my last post. This forum is for technical
collaboration, not useless cliche.

Mike, I don't think you understood my last post.