Page 1 of 2
[.02] Bluescreen with error "PAGE_FAULT_IN_NONPAGED_ARE
Posted: Thu Oct 17, 2013 4:59 am
by scarid
Hello,
I often get a Bluescreen when I open a sandboxed application. The Bluescreen says "PAGE_FAULT_IN_NONPAGED_AREA".
System details:
- Sandboxie 4.06
- Windows 8.1 Professional x64 (Windows 8 seems to work now with Sandboxie 4.06...if not I will update this post)
I have this problem since 4.05.07 Beta or something like that. It doesn't matter which application is sandboxed but I have the feeling that Google Chrome is mostly affected. But it's possible that the reason for this is that Chrome is my most used application. The problem only occurs sporadically when I start a sandboxed application the first time after the operating system boot. If the problem doesn't occur at this time it won't occur furthermore during the same Windows logon session. But it can happen again when I reboot.
How can I help to localize the problem? It is really annoying. And I have this problem on three computers.
Thank you very much for your help and this great product!
Posted: Fri Oct 18, 2013 2:49 am
by Labak54
Same Problem - Sandboxie 4.06 - Windows 8 Professional x64 - IE10
I have this problem since 4.05.xx too.
Posted: Fri Oct 18, 2013 5:57 am
by tzuk
I received a couple of similar problem reports and I think this has something to do with user accounts, although I still don't know what is causing this, or how to reproduce the problem so I can fix it. Can you try to create a new user account and use it instead of your current user account, to see if it has any effect on the problem?
Posted: Fri Oct 18, 2013 6:53 am
by scarid
On all computers I use limited user accounts that are only members of the local group "Users". The accounts therefore don't have administrator priviledges. Is this fully supported by Sandboxie? No problem...I can create a new account and check if the problem persists.
Posted: Sat Oct 19, 2013 2:12 am
by balloonshark
I was actually going to bump my old thread but I'll post here for the time being. I'm using Widows 8 64 bit with a limited user account and Sbie 4.04 and had the same problem. I disabled fast startup and for the past month I haven't seen a BSOD when starting my browser sandboxed after booting up.
How to disable fast startup.
http://www.eightforums.com/tutorials/63 ... s-8-a.html
Another change I have made is letting the Intel Rapid Storage Icon fully load before I start my browsing session. I have a feeling the problem is with fast startup.
If you happen to disable fast startup and it helps please post back so Tzuk can look into the matter.
Edit: My old thread is here.
http://www.sandboxie.com/phpbb/viewtopic.php?t=16309
Posted: Sun Oct 20, 2013 5:33 am
by balloonshark
Never mind. I just had another BSOD
. Do any of you use Shadow Defender? I'll post the rest in my other thread.
Posted: Sun Oct 20, 2013 11:59 am
by scarid
No, I don't use Shadow Defender. I disabled the fast startup feature of Windows 8 and currently check if it helps. But after your post it doesn't seem to help.
Maybe Tzuk has the right guess in relation to user accounts. We should keep that in mind and test it.
Posted: Sun Oct 20, 2013 3:47 pm
by tzuk
I'm sorry that I can only offer this vague guess. I examined the first couple of crash dumps for this type of crash and it was clear the problem is caused due to a corrupted security token. A security token is the internal data structure that contains the security data for the user account, and half of that data was missing in the dump, causing this crash. But I could not identify in the dump why the security token data became corrupted in the first place. Hopefully in time the precise reason will become clear, and I will be able to trigger this problem myself and study it.
Posted: Mon Oct 21, 2013 6:10 am
by nsb
now i upgraded to 8.1 but i also recorded this issue.
Bug Check 0x50: PAGE_FAULT_IN_NONPAGED_AREA
Same symptoms than scarid ("The problem only occurs sporadically when I start a sandboxed application the first time after the operating system boot. If the problem doesn't occur at this time it won't occur furthermore during the same Windows logon session. But it can happen again when I reboot"), fast startup disabled, standard user account.
Same issue
Posted: Sun Nov 10, 2013 1:09 pm
by johnnymumble
I am getting the same PAGE_FAULT_IN_NONPAGED_AREA error. I have not really been able to identify a pattern yet except that it seems to occur within a few minutes of booting up or not at all.
I am running Windows 8.1 and Windows 8 before that, I had the same problem with both versions. I have Sandboxie installed on a Windows 7 machine with no issues. I cannot say if the issue occurred on the machine prior to installing Sandboxie because I installed Sandboxie immediately.
EDIT: Forgot to mention that I do not run as an admin user either.
Here is a bit from WinDbg if it helps:
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffc00009a8200c, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff800c396269a, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: ffffc00009a8200c Paged pool
FAULTING_IP:
nt!memcpy+21a
fffff800`c396269a f30f6f4402f0 movdqu xmm0,xmmword ptr [rdx+rax-10h]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: chrome.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
TRAP_FRAME: ffffd0003c2c80c0 -- (.trap 0xffffd0003c2c80c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffc00010ed578c rbx=0000000000000000 rcx=fffffffffffffff4
rdx=fffffffff8bac890 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800c396269a rsp=ffffd0003c2c8258 rbp=ffffc00010ed5368
r8=00000000000002c0 r9=0000000000000006 r10=0000000000000000
r11=ffffc00010ed54c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
nt!memcpy+0x21a:
fffff800`c396269a f30f6f4402f0 movdqu xmm0,xmmword ptr [rdx+rax-10h] ds:ffffc000`09a8200c=????????????????????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800c396afd8 to fffff800c3955ca0
STACK_TEXT:
ffffd000`3c2c7ed8 fffff800`c396afd8 : 00000000`00000050 ffffc000`09a8200c 00000000`00000000 ffffd000`3c2c80c0 : nt!KeBugCheckEx
ffffd000`3c2c7ee0 fffff800`c38690fd : 00000000`00000000 ffffe000`01194080 ffffd000`3c2c80c0 00000000`00000001 : nt! ?? ::FNODOBFM::`string'+0x4e48
ffffd000`3c2c7f80 fffff800`c395ff2f : 00000000`00000000 00000000`00000000 ffffd000`3c2c8300 ffffd000`3c2c80c0 : nt!MmAccessFault+0x7ed
ffffd000`3c2c80c0 fffff800`c396269a : fffff800`c3bbdcda ffffc000`10ed5002 ffffc000`10ed5060 ffffe000`00b5ea70 : nt!KiPageFault+0x12f
ffffd000`3c2c8258 fffff800`c3bbdcda : ffffc000`10ed5002 ffffc000`10ed5060 ffffe000`00b5ea70 00000000`000007ff : nt!memcpy+0x21a
ffffd000`3c2c8260 fffff800`c3cc8c91 : ffffc000`04d9d3f0 ffffd000`3c2c8390 00000000`00000000 00000000`00000078 : nt!SepDuplicateToken+0x346
ffffd000`3c2c8320 fffff800`c3c01003 : ffffc000`054cf060 00000000`00000000 ffffc000`054cf590 00000000`000007ff : nt!SepSetLogonSessionToken+0x81
ffffd000`3c2c83a0 fffff800`c3e1deef : 00000000`00000003 00000000`00000000 ffffc000`00000002 ffffc000`0000000d : nt!SepFilterToken+0x55b
ffffd000`3c2c84b0 fffff800`03fe3a95 : 00000000`00000000 ffffc000`03c77560 00000000`00000000 00000000`00000000 : nt!SeFilterToken+0xbf
ffffd000`3c2c8530 fffff800`03fe4462 : ffffc000`09a818f0 ffffc000`00000000 ffffc000`099292e0 ffffc000`09164280 : SbieDrv+0x1ca95
ffffd000`3c2c85d0 fffff800`03fe4629 : ffffc000`10e4d8f0 ffffd000`3c2c86c8 ffffd000`3c2c8600 ffffc000`10e540d0 : SbieDrv+0x1d462
ffffd000`3c2c8620 fffff800`03fdac6a : ffffc000`10e540d0 ffffd000`3c2c86c8 ffffd000`3c2c86c8 ffffd000`3c2c87a0 : SbieDrv+0x1d629
ffffd000`3c2c8670 fffff800`c3baad8e : ffffe000`01194080 ffffe000`01194080 ffffd000`3c2c87a0 fffff800`c3ae3e50 : SbieDrv+0x13c6a
ffffd000`3c2c86a0 fffff800`c3c5b0cc : 00000000`ffb56000 ffffd000`3c2c8740 ffffe000`00993080 00000000`00000000 : nt!PsCallImageNotifyRoutines+0x12e
ffffd000`3c2c8710 fffff800`c3c5adb5 : 00000000`ffb5d000 00000000`ffb5d000 ffffe000`00993080 ffffe000`01194080 : nt!DbgkCreateThread+0x168
ffffd000`3c2c8950 fffff800`c395c3f5 : fffff800`c3af6180 00000000`00000000 fffff800`c3c5ad0c ffffe000`01194080 : nt!PspUserThreadStartup+0xa9
ffffd000`3c2c89c0 fffff800`c395c377 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartUserThread+0x16
ffffd000`3c2c8b00 00007ffc`9fed43b4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartUserThreadReturn
00000000`0061fc78 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`9fed43b4
STACK_COMMAND: kb
FOLLOWUP_IP:
SbieDrv+1ca95
fffff800`03fe3a95 85c0 test eax,eax
SYMBOL_STACK_INDEX: 9
SYMBOL_NAME: SbieDrv+1ca95
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SbieDrv
IMAGE_NAME: SbieDrv.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 525e8f90
FAILURE_BUCKET_ID: AV_SbieDrv+1ca95
BUCKET_ID: AV_SbieDrv+1ca95
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_sbiedrv+1ca95
FAILURE_ID_HASH: {90030c0e-167c-96c0-3d18-5bad6b90e84c}
Followup: MachineOwner
---------
Posted: Sun Nov 10, 2013 2:44 pm
by nsb
look at 4.07.03 to see if it makes any difference
Posted: Fri Nov 15, 2013 2:58 am
by scarid
Since 4.07.03 I didn't get a bluescreen anymore till today. Thank you for your great work, Tzuk!
Posted: Fri Nov 15, 2013 5:08 am
by tzuk
Just to confirm, "till today" means that you still didn't see a crash, yes? Thanks for the encouraging update!
Posted: Fri Nov 15, 2013 9:33 am
by scarid
Hey Tzuk! Yes, my message could have been a bit clearer.
But your guess is right. I didn't get any bluescreen since 4.07.03. These are good news. If something changes about it I will update this post.
Posted: Fri Nov 15, 2013 11:08 am
by Mr.X
The same problem here with 4.07.03. Bluescreen says "PAGE_FAULT_IN_NONPAGED_AREA"
Scenario:
Windows 8 x86
Standard User Account
Fast start up disabled
Google Chrome
And the culprit is SbieDrv.sys according to Nirsoft BlueScreenView