# Solved: Windows 8 PAGE_FAULT_IN_NONPAGED_AREA (Win32k.sys)



## TomiRoxSox

Hi okay so i was just running a virtual machine on vmware and running some few other apps including spotify, skype.
Then suddenly a bsod came up on my screen (The error was: *PAGE_FAULT_IN_NONPAGED_AREA (Win32k.sys)*).

So i restarted, this boot took longer than usual though and the metro start screen took forever to load the icons.

Later when i was only on skype and was extracting one archive, the bsod came again.

Please help 
I attached the minidumps in the attachments

- Tom


----------



## Macboatmaster

TomiRoxSox

1. Welcome to tech Support Guy
An Acer Aspire -

2. Are you still running VMWARE
If so I would start by uninstalling all of that
http://www.vmware.com/uk/support.html

3. You have been or are running Sandboxie
http://www.sandboxie.com/index.php?KnownConflicts

I would examine the conflicts and see which applies or uninstall that as well, having of course secured anything you have in the sandbox

4. *First dump*
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9200.16496.amd64fre.win8_gdr.130108-1504
Machine Name:
Kernel base = 0xfffff800`5c416000 PsLoadedModuleList = 0xfffff800`5c6dfa80
Debug session time: Thu Feb 28 19:03:03.874 2013 (UTC - 5:00)
System Uptime: 1 days 12:52:39.856
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff90106af7000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff960002ccaa0, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------

Could not read faulting driver name
TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff8005c76b168
GetUlongFromAddress: unable to read from fffff8005c76b1f8
Unable to get PFN database address fffff8005c76b170
fffff90106af7000

FAULTING_IP: 
win32k!memcpy+a0
fffff960`002ccaa0 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME:  TeamViewer.exe

CURRENT_IRQL: 0

TRAP_FRAME: fffff8802cbe1280 -- (.trap 0xfffff8802cbe1280)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffff90106a76290
rdx=0000000000080d70 rsi=0000000000000000 rdi=0000000000000000
rip=fffff960002ccaa0 rsp=fffff8802cbe1418 rbp=0000000000000020
r8=0000000000000000 r9=0000000000000002 r10=0000000000000001
r11=fffff90106a76250 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
win32k!memcpy+0xa0:
fffff960`002ccaa0 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx] ds:fffff901`06af7000=????????????????????????????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff8005c5fdf09 to fffff8005c490040

STACK_TEXT: 
fffff880`2cbe1098 fffff800`5c5fdf09 : 00000000`00000050 fffff901`06af7000 00000000`00000000 fffff880`2cbe1280 : nt!KeBugCheckEx
fffff880`2cbe10a0 fffff800`5c4cb12f : 00000000`00000000 fffff901`06af7000 fffffa80`062c6940 fffffa80`00000001 : nt! ?? ::FNODOBFM::`string'+0x3151f
fffff880`2cbe1140 fffff800`5c48daee : 00000000`00000000 fffff880`2cbe1550 fffff880`2cc57b00 fffff880`2cbe1280 : nt!MmAccessFault+0x54f
fffff880`2cbe1280 fffff960`002ccaa0 : fffff960`0026e0a0 fffff6fb`7dbedf90 fffff6fb`7dbf2020 fffff6fb`7e4041a8 : nt!KiPageFault+0x16e
fffff880`2cbe1418 fffff960`0026e0a0 : fffff6fb`7dbedf90 fffff6fb`7dbf2020 fffff6fb`7e4041a8 fffff6fc`808353b0 : win32k!memcpy+0xa0
fffff880`2cbe1420 fffff960`00295405 : 00000000`00000000 fffff880`2cbe1881 fffff901`06af65c8 00000000`00000000 : win32k!vSrcCopyS32D32Identity+0x64
fffff880`2cbe1450 fffff960`003b3a8d : fffff880`2cbe17f8 00000000`00000000 00000000`00000000 fffff901`063e2bc0 : win32k!EngCopyBits+0x355
fffff880`2cbe1790 fffff960`002ff7fa : fffff901`06af65b0 00000000`00000000 fffff880`00000000 fffff901`063e2bc0 : win32k!vProcessCursorShape+0x20d
fffff880`2cbe18d0 fffff960`002ff067 : fffff901`0515d4a0 fffff901`05948010 fffff901`05948010 fffff800`5cb70bb9 : win32k!vSetPointer+0x668
fffff880`2cbe1a30 fffff960`002af122 : 00000000`0000000f fffff901`000c7010 fffffa80`00000000 fffff800`00000000 : win32k!GreSetPointer+0x127
fffff880`2cbe1ad0 fffff960`0027ee20 : 00000000`00000029 fffff901`05e4d010 fffff901`05549b90 00000000`0000ff04 : win32k!zzzUpdateCursorImage+0x162
fffff880`2cbe1b10 fffff960`0026eb1c : 00000000`00000020 00000000`0029092c 00000000`02000001 fffff901`0184d080 : win32k!xxxDWP_SetCursor+0x290
fffff880`2cbe1b70 fffff960`0028125c : 00000000`00000000 00000000`00000000 00000000`00000000 fffffa80`0a609ea0 : win32k!xxxRealDefWindowProc+0x15c
fffff880`2cbe1cc0 fffff960`00280157 : 00000000`0449f702 fffff901`0184d080 00000000`0029092c 00000000`002109ae : win32k!xxxWrapRealDefWindowProc+0x5c
fffff880`2cbe1d30 fffff800`5c48f053 : fffffa80`062c6940 00000000`0449f5f8 00000000`0029092c 00000000`02000001 : win32k!NtUserMessageCall+0x1c7
fffff880`2cbe1dd0 00000000`76f3acba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0071b308 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76f3acba

STACK_COMMAND: kb

FOLLOWUP_IP: 
win32k!memcpy+a0
fffff960`002ccaa0 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx]

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: win32k!memcpy+a0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 50f7780d

FAILURE_BUCKET_ID:  X64_AV_win32k!memcpy+a0

BUCKET_ID: X64_AV_win32k!memcpy+a0

*5. Please see entries I have highlighted in red*
*A. Page fault - memory was accessed in an area not allowed. that in simple terms means that the system was trying use memory in a non paged area.*
*The Page area is the paging file on the hard drive that is used as ram when necessary*

*However that does not get us very far, as it simply indicates the cause of the crash but not the reason for it*

*Driver that Windows does not like. Conflict between applications that prevents proper execution of process etc.*

*B. Team Viewer. exe the process running when the crash occurred.*
*DO NOT confuse that as the cause of the crash*

*C. Failure AV Win32 memcpy*

At this time I am less than certain. 
However I would check after doing 2 and 3 at the start of this post 
YOUR
driver for your graphics and I would reinstall it. Using the latest available
\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys

and you are running MBAM Malwarebytes, is that the real time protection on the paid for MBAM.
If so what other AV program are you running as well if any

The other crash is the same more or less 14 minutes later

*SECOND DUMP*
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9200.16496.amd64fre.win8_gdr.130108-1504
Machine Name:
Kernel base = 0xfffff803`0b879000 PsLoadedModuleList = 0xfffff803`0bb42a80
Debug session time: Thu Feb 28 19:17:29.289 2013 (UTC - 5:00)
System Uptime: 0 days 0:07:35.051
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff90102b66000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff96000217aa0, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------

Could not read faulting driver name
TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff8030bbce168
GetUlongFromAddress: unable to read from fffff8030bbce1f8
Unable to get PFN database address fffff8030bbce170
fffff90102b66000

FAULTING_IP: 
win32k!memcpy+a0
fffff960`00217aa0 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx]

MM_INTERNAL_CODE: 0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: TeamViewer.exe

CURRENT_IRQL: 0

TRAP_FRAME: fffff8802a222280 -- (.trap 0xfffff8802a222280)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffff90102b4e290
rdx=0000000000017d70 rsi=0000000000000000 rdi=0000000000000000
rip=fffff96000217aa0 rsp=fffff8802a222418 rbp=0000000000000020
r8=0000000000000000 r9=0000000000000002 r10=0000000000000001
r11=fffff90102b4e250 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
win32k!memcpy+0xa0:
fffff960`00217aa0 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx] ds:fffff901`02b66000=????????????????????????????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff8030ba60f09 to fffff8030b8f3040

STACK_TEXT: 
fffff880`2a222098 fffff803`0ba60f09 : 00000000`00000050 fffff901`02b66000 00000000`00000000 fffff880`2a222280 : nt!KeBugCheckEx
fffff880`2a2220a0 fffff803`0b92e12f : 00000000`00000000 fffff901`02b66000 fffffa80`095e9700 fffffa80`00000001 : nt! ?? ::FNODOBFM::`string'+0x3151f
fffff880`2a222140 fffff803`0b8f0aee : 00000000`00000000 fffff880`2a222550 fffff880`06fe9b00 fffff880`2a222280 : nt!MmAccessFault+0x54f
fffff880`2a222280 fffff960`00217aa0 : fffff960`001b90a0 fffff6fb`7dbedf90 fffff6fb`7dbf2020 fffff6fb`7e4040a8 : nt!KiPageFault+0x16e
fffff880`2a222418 fffff960`001b90a0 : fffff6fb`7dbedf90 fffff6fb`7dbf2020 fffff6fb`7e4040a8 fffff6fc`80815a70 : win32k!memcpy+0xa0
fffff880`2a222420 fffff960`001e0405 : 00000000`00000000 fffff880`2a222881 fffff901`02b655c8 00000000`00000000 : win32k!vSrcCopyS32D32Identity+0x64
fffff880`2a222450 fffff960`002fea8d : fffff880`2a2227f8 00000000`00000000 00000000`00000000 fffff901`04c7e6c0 : win32k!EngCopyBits+0x355
fffff880`2a222790 fffff960`0024a7fa : fffff901`02b655b0 00000000`00000000 fffff880`00000000 fffff901`04c7e6c0 : win32k!vProcessCursorShape+0x20d
fffff880`2a2228d0 fffff960`0024a067 : fffff901`0294d370 fffff901`006ee120 fffff901`006ee120 fffffa80`08bf1d90 : win32k!vSetPointer+0x668
fffff880`2a222a30 fffff960`001fa122 : fffffa80`06ba8010 fffff901`000c3010 fffffa80`05f54900 fffff901`00000000 : win32k!GreSetPointer+0x127
fffff880`2a222ad0 fffff960`001c9e20 : 00000000`00000002 fffff901`05406b10 fffff901`006fc280 00000000`00000000 : win32k!zzzUpdateCursorImage+0x162
fffff880`2a222b10 fffff960`001b9b1c : 00000000`00000020 00000000`0002048c 00000000`02000001 fffff901`02e80a10 : win32k!xxxDWP_SetCursor+0x290
fffff880`2a222b70 fffff960`001cc25c : fffffa80`08eb9c10 fffffa80`06addc70 00000000`00000000 fffffa80`075db860 : win32k!xxxRealDefWindowProc+0x15c
fffff880`2a222cc0 fffff960`001cb157 : 0000000d`00000002 fffff901`02e80a10 00000000`0002048c 00000000`0002048e : win32k!xxxWrapRealDefWindowProc+0x5c
fffff880`2a222d30 fffff803`0b8f2053 : fffffa80`095e9700 fffff880`01a56979 00000000`0002048c 00000000`02000001 : win32k!NtUserMessageCall+0x1c7
fffff880`2a222dd0 00000000`777dacba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`002eab68 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x777dacba

STACK_COMMAND: kb

FOLLOWUP_IP: 
win32k!memcpy+a0
fffff960`00217aa0 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx]

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: win32k!memcpy+a0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 50f7780d

FAILURE_BUCKET_ID: X64_AV_win32k!memcpy+a0

BUCKET_ID: X64_AV_win32k!memcpy+a0

Therefore I would check as I have indicated. above

The less likely cause is a memory - RAM - defect, but that is NOT your first line of examination.

*Please post after the checks I suggest and you have tested to see how things are*

*Having had another look, I think the uninstall of TeamViewer may be the next test*


----------



## TomiRoxSox

Oh yeah I was running teamviewer the second time too...

1. I use the built in antivirus aka Windows Defender/MSE along with MBAM
2. The graphics card driver is definitely up to date. Although ill try reinstalling it
3. Maybe VMWARE has nothing to do with this. It was not even open the second time it happened. But I'll uninstall and see what happens and install it back later
4. I didn't find any conflicting application that I have installed on the sandboxie page

Ill try reinstalling TeamViewer and Sandboxie as well


----------



## Macboatmaster

Will wait to here from you.

Windows Defender on 8 is of course the enhanced Microsoft Security Essentials, which cannot be installed on 8.
I would not run WD with MBAM if the Malwarebytes is the real time protection -paid for edition, whereas the free addition is a scan on demand only and will therefore not conflict

That really even if you were running the two, is not I think the cause of the problem, so I mention it only as general advice


----------



## TomiRoxSox

Okay


----------



## Macboatmaster

I am confused now have you reformatted and installed 7, as that was what I think your last said before you edited it


----------



## TomiRoxSox

Macboatmaster said:


> I am confused now have you reformatted and installed 7, as that was what I think your last said before you edited it


Sorry, ignore that. Decided not to because it fixed itself somehow when i disabled the realtime protection of malwarebytes


----------



## Macboatmaster

> and you are running MBAM Malwarebytes, *is that the real time protection on the paid for MBAM.*
> If so what other AV program are you running as well if any


Indeed as I suggested.


----------

