sfc /scannow repeatedly stops for graphics driver files

Hi,

I would like an update if possible to a problem that Mailman discussed back in 2006 [thread]56338[/thread] where the system file checker utility would continually stop for ATI/Nvidia files. My problem would appear to be the same in that I used Cab Cleaner [Driver Cleaner Pro] a while back.

There was a similar thread again where Mailman advised a user to replace the Driver.cab in C:\WINDOWS\Driver Cache\i386\ with a clean copy either from the original install CD or the slipstreamed CD [thread]59514[/thread]; unfortunately the user did not reply as to the result.

I have followed as best I can the above mentioned threads and followed instructions to put a copy of the i386 folder on C:/ copied from my slipstreamed SP3 CD. When I come to replace the Driver.cab file on my hard drive, however, which is 117MB in size, with a copy from either the original CD or slipstreamed SP3 CD,both are 73.1MB, there is quite a difference in size. My question is whether it is safe to proceed and do this as I do not wish to reinstall XP for obvious reasons. The reason I wanted to try the system file checker was because of random BSODs.

Thank you.

 

Here is what I would do. Rename the larger Driver.Cab to DriverBig.Cab, or anything else that you can remember. Then copy the smaller Driver.Cab in the folder. This way you can have both copies available to you.

 

Thank you for the reply. Are you saying that sfc will then use both of these cab files?
As an update to my troubles I have had to recover from a fatal PCI.sys error and copied back an earlier image of my system [could not boot into safe mode either]. This happened when I rebooted and am not sure if down to the sfc scan I performed or not. I have removed a Hauppage Nova TD 500 PCI card, which has a PCI to USB bridge, from my ageing system too. So far so good.

 

If you follow this instruction you can produce a report of previous crashes and post the last one on the forum. We might then be able to see what is causing the BSOD's.

http://www.windowsbbs.com/general-discussions/33471-dump-data-collection-tool-instructions.html

I would also suggest you run a Repair Install from the XP disc which will leave all your other software and files intact while replacing the system files.

http://www.michaelstevenstech.com/XPrepairinstall.htm

 

Thank you Mark but as I understand it a Repair Install means I shall have to reinstall all updates presumably since SP3, which number over 100 I believe, so is not really an option for me - I do wish Microsoft would release a roll-up of all these patches! I do agree though that it is one option.

Some of the BSODs I have been getting appear to be related to Acronis True I mage 2011, which I uninstalled a week ago; Acronis are investigating the issue now. This matter has been ongoing since November and seemed to be resolved with release of their new build last month but reared it's ugly head again when I switched from AVG Free 2011 AV to Microsoft Security Essentials a couple of weeks or so ago.

Unfortunately no minidump was created from the PCI.sys crash/problem the other day and the last minidump was regards error 0x10000050 Page_Fault_In_Nonpaged_Area. I have cleaned the RAM contacts and not long ago ran memory tests for a couple of days with no errors thrown up. Unfortunately this minidump was corrupted so is of no use for analysis. The three or four prior crashes as I have said relate to True Image 'tho MPFilter.sys [MSE driver was listed as the culprit in Nirsoft BlueScreenView] and has not recurred since uninstalling TI.

I ran sfc hoping it would cure a few of these problems, but according to Event Viewer no system files were replaced - only these graphic files popped up and most of them I cancelled apart from five which ended up in the dllcache very much as in Mailman's old post which I referred to earlier.

Anymore developments and I shall post.

 

Are you saying that sfc will then use both of these cab files?
No, SFC won't be looking for DriverBig.Cab. By renaming the larger one, and then copying the smaller one into the folder, it gives you a chance to keep both of them without one getting in the way of the other. Later, if you want the larger one instead, first rename the smaller one, the you can rename the original larger back to Driver.Cab .
I see the thread has moved onto other things, but I hope this helps.

 

When you removed AVG did you use their removal tool. If not, go to the AVG site download and run the removal tool. Remnants of the AVG install could be conflicting with MSE. AVG has been known to cause problems, do you have a third party firewall installed as some have been known to cause conflicts with AVG.

http://www.avg.com/gb-en/download-tools

Memory tests are not conclusive, the best way to test the memory is to run the PC on just one memory stick at a time.

It sounds as if this problem has all been due to Acronis and AVG. AVG has caused many problems with conflicts especially recently with the 2011 version. I've not come across any problems with Acronis, sometimes the minidumps will name the software or driver that has conflicted with other software and is not always the one that caused the problem.

 

Well I didn't have to wait long for the next BSOD - this morning and never made it to the desktop and Mpfilter.sys was named as the problem:-

Here's analysis of the minidump:_



Microsoft (R) Windows Debugger Version 6.11.0001.402 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini012811-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp3_gdr.100427-1636
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0
Debug session time: Fri Jan 28 13:06:33.531 2011 (GMT+0)
System Uptime: 0 days 0:00:44.125
Loading Kernel Symbols
...............................................................
................................................................
..........................
Loading User Symbols
Loading unloaded module list
........
Unable to load image MpFilter.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for MpFilter.sys
*** ERROR: Module load completed but symbols could not be loaded for MpFilter.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, adc5177f, f75167e0, 0}

Probably caused by : MpFilter.sys ( MpFilter+1177f )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: adc5177f, The address that the exception occurred at
Arg3: f75167e0, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

FAULTING_IP:
MpFilter+1177f
adc5177f ad lods dword ptr [esi]

TRAP_FRAME: f75167e0 -- (.trap 0xfffffffff75167e0)
ErrCode = 00000000
eax=8959cda8 ebx=804db650 ecx=8ab0a3fc edx=8ab0a41c esi=0000919b edi=c43f7815
eip=adc5177f esp=f7516854 ebp=f7516860 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
MpFilter+0x1177f:
adc5177f ad lods dword ptr [esi] ds:0023:0000919b=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: winlogon.exe

LAST_CONTROL_TRANSFER: from adc4bab4 to adc5177f

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f7516860 adc4bab4 8ab0a3fc 00000000 8ab0a398 MpFilter+0x1177f
f751693c adc4c020 894649a4 f751698c 00000040 MpFilter+0xbab4
f7516968 f747aef3 894649a4 f751698c 00000040 MpFilter+0xc020
f75169d0 f747d338 00464948 00000000 89464948 fltmgr!FltpPerformPostCallbacks+0x1c5
f75169e4 f747d867 89464948 89379d98 f7516a24 fltmgr!FltpProcessIoCompletion+0x10
f75169f4 f747def9 89d7c638 89379d98 89464948 fltmgr!FltpPassThroughCompletion+0x89
f7516a24 f748a754 f7516a44 00000000 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x269
f7516a60 804e3807 89d7c638 89379d98 89379d98 fltmgr!FltpCreate+0x26a
f7516a70 8056c8e8 8ac0a788 8941aabc f7516c18 nt!IopfCallDriver+0x31
f7516b50 80563fec 8ac0a7a0 00000000 8941aa18 nt!IopParseDevice+0xa12
f7516bd8 805684ca 00000000 f7516c18 00000040 nt!ObpLookupObjectName+0x56a
f7516c2c 8056cdc3 00000000 00000000 00000001 nt!ObOpenObjectByName+0xeb
f7516ca8 8056ce92 0006cee0 00100020 0006ceb4 nt!IopCreateFile+0x407
f7516d04 8056cf5a 0006cee0 00100020 0006ceb4 nt!IoCreateFile+0x8e
f7516d44 804de7ec 0006cee0 00100020 0006ceb4 nt!NtOpenFile+0x27
f7516d44 7c90e514 0006cee0 00100020 0006ceb4 nt!KiFastCallEntry+0xf8
0006ced4 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND: kb

FOLLOWUP_IP:
MpFilter+1177f
adc5177f ad lods dword ptr [esi]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: MpFilter+1177f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MpFilter

IMAGE_NAME: MpFilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4c8fe7ef

FAILURE_BUCKET_ID: 0x8E_MpFilter+1177f

BUCKET_ID: 0x8E_MpFilter+1177f

Followup: MachineOwner
---------

Markmadras - Thanks Mark I did run the AVG cleaner tool and also Kapersky cleaner tool as I had been using their 2010 Internet Security Suite.

I almost whipped out one of the RAM modules the other day when I cleaned the contacts; perhaps I will do this next on next boot. I suppose it might be a faulty slot too, so I would have to try same stick in the other to make sure if BSODs continue to rule that out before trying the other stick/module.

Markp62 - Thank you, I now understand. Yes, things have sort of shifted to other things, but the reason I ran SFC was because of these BSODs; however, by running SFC I caused further problems.
I had a good think earlier as to when all this trouble started and can put it back to a year or so ago when I changed my graphics card. My motherboard is an old Asus A7N8X Rev 2.0 which came with a nVidia 5600FX. I bought a new large monitor with 1920 x 1080 display so I changed aforesaid card to Gigabyte HD 4650 1GB AGP. The supplied drivers would not work with this card [as I understand it this card is PCIe based with a PCIe to AGP bridge chip] and I have been using AMD's own as a hotfix was apparently needed due to problems getting it to work!

I am contemplating that perhaps I ought to put the old card back in, but am not sure whether it would be powerful enough to drive this monitor.

I have just looked on AMD's site to find that another driver update for the HD 4650 card has been released, but from what I can see in the release notes it is mainly for certain games to run better [they release monthly updates for same reasons]; I am using quite recent drivers.

I'll await for some advice from your good selves before I do anything else.

 

I am begining to wonder if you have an infection despite your use of MSE. It is possible for the winlogon.exe file to become infected and you will require help removing it. I doubt if MSE is causing a BSOD but sometimes these crash dumps can point at the wrong device. Our Malware and Virus forum can help to clean your PC, go to this link:

http://www.windowsbbs.com/malware-virus-removal/announcements.html

First though, I would suggest getting to the bottom of the graphics driver problem, you may like to try using driver verifier, this will most likely cause more BSOD's while it is switched on but might help to pinpoint the problem if it is driver related.

http://www.microsoft.com/whdc/DevTools/tools/Verifier.mspx

A quick user guide is here: http://www.techrepublic.com/article...th-xps-hidden-driver-verifier-manager/5714091

From the trouble you have just explained with the graphics driver, on top`of the SFC scan requesting graphics drivers, it is looking like it is the graphics card with incompatible drivers that is the route cause of the problems.

I would suggest you put the old graphics card and drivers back in (run sfc /scannow which should no longer ask for the drivers) and then you will soon see if the BSOD's continue, hopefully verifying the cause. It looks like there is a possibility that the present graphics card is not compatible with your motherboard.

Unfortunately (as you have noted) the old card may not work correctly with the large screen so the other option would be to get a more suitable graphics card that will work on your motherboard, checking the compatability before purchase.

 

Markmadras;- Thank you Mark for your latest reply; I am going to take the latter option and reinstall the old graphics card/drivers and if necessary I'll use the old screen again with it. I'll obviously remove the ATI drivers/catalyst control centre.

I find it hard to believe that I have an infection as I am always running scans of one sort or another. However, I shall do another full scan with MSE & MBAM [and I always run Spybot each week, and Microsoft's monthly Malware removal tool].

Acronis wrote to me today and asked me to reinstall True Image 2011 and run their system report utility, a copy of which I have now sent to them for their analysis. So far today, no more BSODs since first booting up this morning; it's completely random as to when they occur.

It also looks like this old mobo is an OEM board and not a standard Asus A7N8X Rev 2.0 from what I can tell from the Users manual. I'll download the driver package from the manufacturer's web site as I have a feeling the graphics adapter is also OEM.

I'll post back as soon as I have more news/developments.

 

OK, thanks for the update, look forward to seeing what is at the root of this problem.

My suggestion that you may have an infection was thinking aloud. But, some viruses can get in and be very hard to detect, no AV software is 100%.

Hopefully the problem will be resolved by dealing with the graphics card issue.

 

Just a quick update to let you know what has been happening these past few days:-

Reinstalled old graphics card Geforce 5600 FX. I have tried various drivers with this card [currently using the most up to date] to try and get 1920 x 1080 resolution in DVI output but no luck; strangely there is an output for this but it overscans i.e. I have to scroll the desktop. I believe it may be more successful in VGA output, but yet to try.

As far as BSODs, I have had one so far and one freeze up. Apart from that no further mishaps.

Looks like it was probably an incompatability with the HD 4650 AGP card/drivers.

I am contemplating a reinstall on a new drive, but it does seem rather daunting.

 

Seems like you are getting there but I still wonder what is behind the problem with your graphics drivers.

This link has a guide that may help. It shows how to check for usused drivers that are still in the system. The link has Vista in the line but I assure you it is also for XP.

Any driver that shows up as faded can be deleted, you might be surprised how many duplicate drivers you have installed.

http://www.howtogeek.com/howto/windows-vista/remove-old-drivers-after-upgrading-to-new-hardware/

 

Thanks Mark - however, today I am not too sure as another BSOD occurred during boot up naming mpfilter.sys as the culprit, this is the Microsoft Security Essentials driver, but once again tdrpm273.sys [Acronis True Image Home 2011 - this is the driver for their 'Try and Decide' option within the program] was in the stack; if you recollect, they asked me to reinstall their latest build in order to generate a report for their analysis, after which, I did not then uninstall . I've sent off the minidump to their technicians as I am still in contact with them regarding this matter.

I shall take a look at that article you posted - I actually subscribe to that site as it is full of useful information.

I shall post again in due course.

 

Further Update: I am still awaiting a response from Acronis , who tell me that it will be some time In April 2011, so at present am unable to make a conclusion as the cause; I am still getting the same BSOD from time to time.

 

I'd go in heavy handed on this one and delete MSE and Acronis and then see if the BSOD's continue. Sounds like Acronis know they have a problem but don't have an answer yet, but there is an update that's just become available so maybe that will have a fix in it.

I would replace MSE with Avira, excvellent free AV.

http://www.avira.com/en/avira-free-antivirus

 

Thanks Mark; yes, Acronis do realise this and are clueless as to what's going on at the moment and I think it is going up the technician heirarchy for further investigation; I have installed this new build 6696 of theirs [yet another!] and am thinking of trying another A/V.

I'll advise of any outcome if/when I get one!

 

Further update - I have had no further contact with Acronis since supplying them with full crash reports some two months ago and so assume their technicians are still hopefully investigating this matter.

I am now using build 6857 of True Image 2011 and the occasional BSOD is still occurring but nowhere as many as previously.

I have installed a program called Soluto, which monitors boot time and attempts to analyse crashes and give help as to what the problem may relate to - whether this has had any stabilising effect on my system I do not know.

As I write this I am informed yet another new build has been released # 6868; this is the 5th since the initial release of version 2011 in August 2010. I shall download and install this one in the next couple of days and see as to the outcome.

I shall report back in due course with a progress update!

 

I have no further comeback from Acronis; please close this thread.