BSOD - Unable to verify timestamp for ntoskrnl.exe
Solution 1
This indicates that the debugger (presumably WinDbg) can't load ntoskrnl.exe
. While it is certainly possible that some malicious program has replaced your ntoskrnl.exe
as Wil suggested, a more likely explanation is that you don't have WinDbg configured to download symbols from Microsoft's public symbol server.
Try running the .symfix
and !sym noisy
commands and then try running !analyze -v
again. If that doesn't help, please post all of the relevant debugger output (with !sym noisy
turned on). (Posting the actual minidump could also help.) For example, some of the output you omitted includes the symbol path:
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\temp\oops.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*C:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to load image \SystemRoot\system32\ntoskrnl.chk, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.chk
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.chk
Windows Server 2008/Windows Vista Kernel Version 6002 MP (2 procs) Checked x64
If your symbol path is set up correctly, memory corruption due to bad hardware would be another possible non-malware explanation. Try running MemTest86+ for a few hours.
Regarding the bug check code info: bug check 0x1000007e is SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M
. The associated exception is 0xC0000005, STATUS_ACCESS_VIOLATION
. The other three parameters don't offer much insight without further examination in the debugger. This could be due to a driver bug, overclocking, faulty memory, a corrupted/replaced file on disk, a failed attempt at exploiting a buffer overflow in a system service, a cosmic ray striking one of your PC's RAM chips, etc.
Solution 2
Not sure if this helps you and I am no expert but I just had this problem . i sent the report in and microsoft popped up a page that gave answers to this problem . they said it was most likely a hard drive error , windows could not read from the drive and gave a few reasons why . One reason was that I had just transfered a large file to my drive from external media or drive . I had just transfered my win cd to my hd . sorry but I forgot what the other reasons were but they too were just simple things . They said to run chkdsk .
Solution 3
It seems others have had the same problem, specifically after Windows updates as well. It sounds like a lower level problem and searching has yielded a few possible solutions:
- replace ntoskrnl.exe from your Windows DVD.
- Run a chkdsk on your drive
- Run a Memtest
Personally, rather than doing process of elimination and wasting time, Id prefer to do a fresh install of Windows (after backing up all of your files of course).
Related videos on Youtube
Michael Kniskern
I am currently working as an IT engineer for the government of Mesa, Arizona USA
Updated on September 17, 2022Comments
-
Michael Kniskern almost 2 years
Recently, my Dell desktop has been randomly crashing when left running for an extended period of time. The following information was written to the dump file:
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
WARNING: Unable to verify timestamp for ntoskrnl.exe
ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Machine Name:
Kernel base = 0xfffff80001e5c000 PsLoadedModuleList = 0xfffff800
0201edb0
Debug session time: Mon Aug 31 19:33:29.995 2009 (GMT-7)
System Uptime: 0 days 11:59:15.563Has anyone experienced this issue with the ntoskrnl.exe causing Windows Vista to crash? I am running Windows Vista 64-bit home premium
Update
This behavior starting occurring last week after the latest set of Windows Vista updates were automatically installed on my computer (KB973879, KB973874, KB970653 and KB972036). I also uninstalled and old version of McFee Security Center and installed AVS Anti-Virus Free Editon 8.5.
Also, the BSOD would also occur when I disconnected my iPhone from my computer.
@Wil - Is there a suggested tool for determining if I have a roolkit installed on my workstation.
Update 2
Here are the crash codes from my latest BSOD. Also, I had to reinstall my drivers for my Belkin G Wireless USB Network Adapter and it cleared my cookies cache from IE8.
BCCode: 1000007e
BCP1: FFFFFFFFC0000005
BCP2: FFFFF800021D3B81
BCP3: FFFFFA60017B4798
BCP4: FFFFFA60017B4170Update 3
@Wil - I tried running Rootkit Revealer and it wrote the following application error to the event log:
Faulting application RootkitRevealer.exe, version 1.71.0.0, time stamp 0x44e255aa, faulting module RootkitRevealer.exe, version 1.71.0.0, time stamp 0x44e255aa, exception code 0xc0000005, fault offset 0x000040cd, process id 0x11b0, application start time 0x01ca2ab8f0adc004.
-
William Hilsum almost 15 yearsHe has posted all the needed information - The critical Windows files are "signed" with a digital key, it may say time stamp, but this basically means that the kernel itself no longer has a valid certificate against it / it has been edited and is failing the CRC / integrity check.... It may be fixable as I said, however it is a lot more likely an indication of a more serious error to come.
-
Michael Kniskern almost 15 yearsI have updated my question based on your answer
-
Michael Kniskern almost 15 yearsI have updated my question based on your answer
-
William Hilsum almost 15 yearsupdated my answer based on your updated question! :)
-
Michael Kniskern almost 15 yearsI tried running Rootkit Revealer exe and windows popped up a "Rootkit detection utility has stopped working" dialog box.
-
bk1e almost 15 years@Wil: You can easily get the same error with a kernel that has a valid Microsoft signature. Also, WinDbg doesn't look at digital signatures.
-
Michael Kniskern almost 15 years@John T - I ran chkdsk and everything came back OK.