Solving frequent BSoDs after Npsvctrig.sys and FileCrypt are loaded

I'm trying to get to the bottom of a problem I've seen frequently lately while trying to help people in the BSoD forum.

I don't know any of the other techs/helpers here have noticed this, but there are a lot of threads in the last short while (a few weeks?) in the BSoD forum in which the following sequence of events can be seen in peoples' System Events Log:

Event[547]:
  Log Name: System
  Source: Microsoft-Windows-Kernel-Power
  Date: 2019-05-03T22:44:48.439
  Event ID: 41
  Task: N/A
  Level: Critical
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: Gabe-Gaming-PC
  Description: 
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Event[548]:
  Log Name: System
  Source: Microsoft-Windows-FilterManager
  Date: 2019-05-03T22:44:48.405
  Event ID: 6
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: Gabe-Gaming-PC
  Description: 
File System Filter 'npsvctrig' (10.0, ?2037?-?02?-?23T02:11:04.000000000Z) has successfully loaded and registered with Filter Manager.

Event[549]:
  Log Name: System
  Source: Microsoft-Windows-FilterManager
  Date: 2019-05-03T22:44:48.328
  Event ID: 6
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: Gabe-Gaming-PC
  Description: 
File System Filter 'FileCrypt' (10.0, ?2034?-?08?-?13T10:30:12.000000000Z) has successfully loaded and registered with Filter Manage

First, the FileCrypt driver loads, then the NpSvctrig.sys (the Named Pipe Service Trigger Driver) loads, and then BOOM! A BSoD,  or reboot occurs. The user is forced to power off in order to shut down. I've seen between 13 and 15 instances of this happening with various "clients" here on BP lately.

The FileCrypt.sys is described by MS as the "Windows Sandboxing and Encryption Filter". It appears to be an essential service, and reports are that Windows will fail to boot without it. Npsvctrig.sys is the "Named Pipe Service Trigger Driver".

I can't find much in my Google Research that's informative, except the following in which the writer noted the same sequence of events that I did:

https://www.reddit.com/r/Windows10/comments/8yqp8q/how_i_fixed_the_filecrypt_npsvctrig_kernelpower/

That person "solved" it by running the Windows debloat script. But that tells us little about what is causing the problem except that possibly, it is one or more of those drivers. This is a sample size of one, so not terribly useful.

I also found this, in which someone claims to have fixed the problem by disabling Fast Boot. I'm not sure how that would relate to filter drivers exactly.

https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/computer-suffering-unexpected-restarts-event-id-41/c1b03a35-371b-423a-acee-e3159c2dc117

My observations suggest that this may be happening more after one of the more recent (Late Apr/Early May) Windows updates. I will try to track down if there are any particular versions of these files that may be causing the problems. Perhaps some of you who are troubleshooting these patterns can post your results, along with your version numbers of the above modules?

My skills with WinDBG are very minimal, as I have zero programming knowledge and only a basic understanding of Windows internal architecture. Can anyone shed more light on this subject?

Is anyone with more internals/programming knowledge willing to walk the stack a little to help figure out what's going on?

Edited by Shplad, 08 May 2019 - 06:33 PM.

Sounds like you're using a insider build of Windows 10 that has the sandbox feature Microsoft is working on. It's buggy in it's current state and causes BSOD. I would suggest to uninstall it from Windows programs and features.

Thanks, but I'm not personally having problems. As I said, this is for clients I'm trying to help here.

I don't think these drivers/services are limited to the Insider builds. What evidence do you have this is only on Insider builds?

*edited to avoid confusion.

I would be curious to see if you are on the right track regarding npsvctrig, I came across it looking into my own BSoD issues.

Edited by NoobSaibot, 09 May 2019 - 03:25 PM.

I have been having this problem myself as you have described. I have been trying to troubleshoot myself with no luck as I am not computer savvy. Turning off fast startup and updating windows did not help. I reinstalled/updated a few drivers and that also did not help. I don't really know what I am doing. I do not get official BSOD but I get random shutdowns with event 41 and npsvctrig and filecrypt as well as a few other files loading seconds before. Npsvctrig is always the last file loaded before event 41 in event log. I have been having this issue for a few weeks at least. The shutdowns sometimes happen when the computer is exiting sleep but they usually happen while the computer is in use. The occur during light browsing and not usually during gaming so it is probably not a heat issue. They occur usually once or twice a day. Any insights would be a huge help.

Thanks for being the first to report in this thread. The only other "solutions" I've seen are to run the Windows debloater script, but even if that works, we don't know which modules were removed that fixed/worked around the problem. Finally, one person claimed to have fixed it by providing proper voltages settings to their processor. Apparently, it was undervolted in hardware setup.

The other cases I've been studying also involved the problem cropping up just approx. 2-3 weeks ago. As I said earlier, it seems to closely coincide with a recent update released a newer version of npsvctrig.sys and/or filecrypt.dll. Would you please post screenshots of your version numbers for those two files.

Edited by Shplad, 09 May 2019 - 06:38 PM.

Sorry for the late response. I uploaded screenshots of the version of the files. I could not find filecrypt.dll but I found filecrypt.sys. Searching for filecrypt.dll returned no results on my computer. These files do not appear to have been updated recently. The last date they were modified was April 2018.

I wanted to mention something kind of strange in the event log. I don't know if this is relevant or not. So right before the event 41 crash the last event was filter manager loading npscvtrig. There are a slew of other files that were also loaded within a second or two of the event 41. Filecrypt was included but there is also atc, qzflt, gemma, wof, and fileinfo. A few seconds before all of these files are loaded there is event 12 task category 1 "The operating system started at system time__________.". I noticed the system time recorded is 7 hours ahead of the actual time on my laptop. All of the crashes i had seem to begin with the event 12 "The operating system started at system time_______" starting within 30 seconds of the crash and then all the downstream files i mentioned and then event 41. Could this be evidence for anything?

Thanks. I'm really hoping that we could get a small series of crash dumps here. Would anyone who has experienced this problem please host and post links to their crash dumps.

Noob Saibot: I've already looked at yours and I don't think this set of symptoms was related to the cause of your crashes.

Edited by Shplad, 11 May 2019 - 02:08 PM.

Anyone? Would anyone be good enough to upload some crash dumps (.dmp) so that I could try to find some patterns relating to this problem? Preferably, anyone who hasn't already posted here and posted same crash dumps already.

Edited by Shplad, 13 May 2019 - 05:07 PM.

How do you upload crash dumps? I looked in the minidump folder and there is nothing there.

I found a Microsoft help thread where someone had a similar problem and fixed it by an updated display driver. They had also had filecrypt>npsvctrig in the event log.

https://answers.microsoft.com/en-us/windows/forum/all/windows-10-restarting-at-random-times/f4a7196d-cda2-40a0-98f3-61c4642fdd51?page=1

Look in C:\Windows you should see an individual file named MEMORY.DMP.

I do not see any memory.dmp file in C:/windows.

Folks, I don't mean to be rude, but...I intended this thread to be used for resolving the problem. If you don't know how to find files or post things, please consult another thread or start your own. I'd like this thread to just be focussed on evidence.

Sorry was just trying to help as I had a similar problem in my thread locating dmp. files (if you remmember), I believe avocados is trying to upload what you requested if you can instruct him how to produce/locate the dmp. file(s).

Anyway, good luck

p.s the solution in my thread was to run BSoD log collector when no dmp. files were being produced.

Edited by NoobSaibot, 13 May 2019 - 09:24 PM.