Two very helpful people—bwv848 at Bleeping Computer and Sumit Dhiman at Microsoft—have taken me through the steps to figure out what was going on with my Windows 10 desktop computer, on which I’ve had between 100 and 200 BSODs since the Windows 10 Creators fall update arrived.
Windows claimed that the error was a DRIVER_IRQL_NOT_LESS_OR_EQUAL in tcpip.sys, but we know that that wasn’t the cause of the crash.
They had both got to the point where the Driver Verifier had to be run again. On the first attempt, the process had identified an Avira driver, although after removing and reinstalling the anti-virus program, the crashes continued. I had found other dodgy things in the Event Viewer, but solving them didn’t get rid of the BSODs.
Now that I’m back from holiday—and with Windows 10 crashing one more time and costing me more work that hadn’t been backed up—I gave Driver Verifier one more go.
I had been averse to it because of the crashes that resulted from it, and had a sense it would tell me the same thing it had in December.
True to form, Windows wouldn’t even load and it BSODed during the boot. But this time, running Windbg on the dump file revealed something called mobk.sys (Mozy Change Monitor Filter Driver), part of a program called Mozy.
I’ve never heard of Mozy, but it appears to be a back-up program. Checking my driver, it dates from April 2010 and was installed in 2012—around the time I bought the computer.
It could well have been installed by me as part of a bundle, or by PB (the retailer).
Mozy wasn’t helpful. They have a forum, but when you sign up to use it, you get to a page where they want to charge you US$109 for one of their plans. Personally, if I was making software, I’d want reports from people like me. It’s not as though the question was complex: I wanted to know if it made sense to delete the offending driver in safe mode, or maybe download a trial version of their program, then remove it, in the hope that the driver would be overwritten and deleted. It’s only been a couple of hours since I Tweeted them, so I don’t expect any replies till tomorrow.
Rather than wait, I popped into safe mode and deleted mobk.sys from the system32\drivers folder.
These errors are deeply frustrating and in direct contrast to the stability that my Imacs have exhibited. Even though I’ve tired of OS X, at least I wasn’t losing work because of three to six BSODs per day.
The advice I can give to others is to create a system restore point, then run the Driver Verifier, and repeat the two processes until a culprit has been identified.
There are a few silver linings to this: I got rid of certain software which might have been insecure, and the random resets were quite handy in “clearing” the PC sometimes when I was doing work on it remotely.
I wonder what had changed in Windows between the spring and fall Creators updates that generated this very serious problem. I haven’t seen Windows crash this often since a dying laptop, on Vista, needed a fresh OS installation (it now runs Ubuntu). I’m still of the mind that Microsoft shipped a lemon, given that I’ve had no end of problems with this OS since it launched, from inconsistent behaviour (Windows 10 would originally be different each time it booted up, from Cortana settings to which keyboard it believed I was using), to very difficult updates (Anniversary took 11 attempts on this PC and never made it on to my laptop even after 40 attempts; it only updated to Creators because all other updates would fail).
While I can understand that there was no way either Mozy or Microsoft could have checked on a 2010 driver for compatibility, and there are so many configurations of Windows out there, there’s still no escaping that Windows 10 could have shipped with fewer bugs. Happily, as it turned out, the troubleshooting procedures may have worked, even if things wound up taking a month.
I’ll blog again if I’m wrong about Mozy.
PS. (January 18): After 24-plus hours with no crashes, I got another one, with the same message. Following my own advice, I ran the driver verifier again. Windbg pointed this time to Oracle Virtualbox. I intentionally ran an older version of this because since 2015, no newer version would work due to its hardening feature. Faced with no choice but to update, it had the same error which, finally, I traced to Mactype. This was the error, for those searching:
The virtual machine ‘Windows XP’ has terminated unexpectedly during startup with exit code -1073741819 (0xc0000005). More details may be available in ‘C:\Users\User\VirtualBox VMs\Windows XP\Logs\VBoxHardening.log’.
Result Code:
E_FAIL (0x80004005)
Component:
MachineWrap
Interface:
IMachine {85cd948e-a71f-4289-281e-0ca7ad48cd89}
The key is to insert these three lines into Mactype.ini:
[UnloadDll]
VirtualBox.exe
VBoxSvc.exe
The error also picked up that there were McAfee drivers left behind from what should have been a full removal. I ran mcpr.exe, found in a thread with the ever-helpful Peter (Exbrit on the McAfee forums). Mcpr.exe did not remove the three drivers, so I took them out manually (despite this going against expert advice): mfeclnrk.sys, mfencbdc.sys and mfencrk.sys. There was also a driver from Malwarebytes, which I downloaded after expert advice in the wake of the damage done by Facebook and its forced download in 2016. Malwarebytes had to be removed with a program called mb-clean as it didn’t show up in the Windows 10 programs’ list.
One important point: when the system restored itself after the latest crash, it appeared the old mobk.sys reinstalled itself into system32\drivers. I removed it again in safe mode. I’ve since created multiple restore points so hopefully none of the now-removed drivers resurface to cause problems again.
I am very happy that I’m running the latest Virtualbox, too, since posting in 2015 resulted in no solid leads. It’s why I’m posting all of this stuff, in the hope others find it useful.—JY
P.PS. (January 22): No crashes for three days, I update both the Microsoft and Bleeping Computer threads with the good news, and within nine minutes, bam! Oracle VM Virtualbox is to blame again, if the driver verifier is accurate. That was yesterday. Today, I attempted to remove the program from the Windows Control Panel. Merely removing it caused three BSODs for three attempts, literally within minutes of each other. I booted into safe mode once, tried to remove it (I couldn’t), then back to the regular mode. I was then able to remove Virtualbox. I have since reinstalled it—let’s see what happens next.—JY
P.P.PS. (January 23): Two BSODs this afternoon, still so very disappointed software is this unreliable today. Removing a networking driver from Virtualbox has made no difference. Same error as before. I haven’t re-run driver verifier, but I have now updated MacType to the latest version and double-checked the ini file changes are still there.—JY
P.P.P.PS. (January 24): MacType update did nothing. Bwv848 recommends removing Oracle Virtualbox altogether. I may have to do that, and reinstall it only when I need it, and see what happens. Sumit at Microsoft has given up for the time being.—JY
P.P.P.P.PS. (January 25): After one more crash despite some tweaking of the power options last night, I removed Oracle Virtualbox this morning. There were five remaining drivers that removal did not address, two from the latest version (VBoxNetAdp6.sys and VBoxNetLwf.sys) and three from the old one (VBoxNetAdp.sys, VBoxNetFlt.sys and VBoxUSB.sys). I manually removed them. No crashes since, though I will be interested to know if reinstalling, without any of the old drivers present, will make a difference.—JY
P.P.P.P.P.PS. (January 26): Got to its first crash by 11.45 a.m. Driver verifier now blames CLVirtualDrive.sys. Found one user on Virtualbox’s forum who had the DRIVER_IRQL_NOT_LESS_OR_EQUAL crash but the mod doesn’t like me helping out (very protective people, who don’t like their favourite software criticized). A system restore saw Oracle Virtualbox return, even though I made a restore point long after I deleted it. Let’s see what CLVirtualDrive.sys is. Four BSODs before noon. Man from Mozy got back to me—the first contact other than on Twitter—because they wound up spamming me and never responded to my original support question. Amazing how a few events—including Facebook’s forced download in 2016—have directly led to this time-wasting point in 2018.—JY
Enough postscripts. The next episode of the saga is here.
You may also like
3 thoughts on “Mozy driver could have been behind 100–200 BSODs since the Windows 10 Creators fall update was installed”