Could an application causes a BSOD? How to track down the cause?

Question

One liner: BugCheck 50, {fffff8800ca0ec04, 0, fffff88005e18c6a, 2}; PAGE_FAULT_IN_NONPAGED_AREA; mqac.sys;

This issue is some kind of reproducible: happened several times in the last months, on 3 different machines (with the same hardware and drivers, almost the same softwares, no anti-virus software).

We got three MEMORY.DMP file from three machines, with almost the same call stack.

Will enable WER on the suspected application help? -- will it generate user-mode dumps, before crash and with more info. (or context)?

=====8<===== Below: Info. extracted using WinGDB from MEMORY.DMP =====8<=====

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\xxx\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*C:\symcache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: LanManNt, suite: TerminalServer SingleUserTS
Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0xfffff800`02213000 PsLoadedModuleList = 0xfffff800`02458e90
Debug session time: Tue May 21 05:05:16.331 2013 (UTC + 8:00)
System Uptime: 39 days 10:02:15.142
Loading Kernel Symbols
...............................................................
................................................................
................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`7efdf018).  Type ".hh dbgerr001" for details
Loading unloaded module list
.............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffff8800ca0ec04, 0, fffff88005e18c6a, 2}

Probably caused by : mqac.sys ( mqac!CPacket::ProcessRRRequest+10a )

Followup: MachineOwner
---------

4: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff8800ca0ec04, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff88005e18c6a, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 0000000000000002, (reserved)

Debugging Details:
------------------

READ_ADDRESS:  fffff8800ca0ec04

FAULTING_IP:
mqac!CPacket::ProcessRRRequest+10a
fffff880`05e18c6a 4d8b642404      mov     r12,qword ptr [r12+4]

MM_INTERNAL_CODE:  2

IMAGE_NAME:  mqac.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bd0a5

MODULE_NAME: mqac

FAULTING_MODULE: fffff88005e00000 mqac

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  AnExe.exe

CURRENT_IRQL:  0

TRAP_FRAME:  fffff8800bb00d10 -- (.trap 0xfffff8800bb00d10)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8a009a08948 rbx=0000000000000000 rcx=fffff8a001e047b1
rdx=fffff8a008cf2621 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88005e18c6a rsp=fffff8800bb00ea0 rbp=fffff88005e2d110
 r8=fffff8a008cf2620  r9=0000000000000080 r10=fffff880021408a0
r11=fffff8a001e047b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
mqac!CPacket::ProcessRRRequest+0x10a:
fffff880`05e18c6a 4d8b642404      mov     r12,qword ptr [r12+4] ds:4a00:0004=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff8000223dca0 to fffff80002293640

STACK_TEXT:  
fffff880`0bb00ba8 fffff800`0223dca0 : 00000000`00000050 fffff880`0ca0ec04 00000000`00000000 fffff880`0bb00d10 : nt!KeBugCheckEx
fffff880`0bb00bb0 fffff800`0229176e : 00000000`00000000 fffff880`0ca0ec04 00000000`00000000 fffff8a0`0935da10 : nt! ?? ::FNODOBFM::`string'+0x448c6
fffff880`0bb00d10 fffff880`05e18c6a : fffff8a0`0935da10 fffff880`0000ec00 fffff8a0`01730900 fffff8a0`03dfc730 : nt!KiPageFault+0x16e
fffff880`0bb00ea0 fffff880`05e18b49 : fffffa80`0e949950 00000000`00000000 fffffa80`0d1e2530 fffff8a0`09a08900 : mqac!CPacket::ProcessRRRequest+0x10a
fffff880`0bb00ee0 fffff880`05e1f6de : fffffa80`0e949950 fffffa80`0d1e2530 fffffa80`06520000 00000000`00000000 : mqac!CPacket::ProcessRequest+0x141
fffff880`0bb00f20 fffff880`05e1f25a : 00000000`00000000 fffffa80`0dc84a00 00000000`00000000 fffffa80`0dc84a00 : mqac!CQueue::PutPacket+0x442
fffff880`0bb01080 fffff880`05e1ee4b : 00000000`00000103 fffffa80`0dc84a00 00000000`00000000 fffffa80`0dc84a00 : mqac!CQueue::HandleCreatePacketCompletedSuccessAsync+0xf2
fffff880`0bb010c0 fffff880`05e06e26 : 00000000`00000000 fffff880`0bb01ca0 fffffa80`0d1e2530 00000000`00000000 : mqac!CQueue::PutNewPacket+0xa3
fffff880`0bb01100 fffff880`05e06f59 : 00000000`00000000 00000000`06b6ed58 00000000`00000000 fffffa80`0fcfc950 : mqac!ACFreePacket1+0xdaa
fffff880`0bb01590 fffff880`05e0cdf6 : fffffa80`0cecb610 00000000`00000000 fffff8a0`04364ce0 fffff800`025a0288 : mqac!ACFreePacket1+0xedd
fffff880`0bb01970 fffff800`025adf97 : fffffa80`0cecb3d0 fffffa80`0dc84a00 fffffa80`00000011 00000000`00000000 : mqac!ACDeviceControl+0x131a
fffff880`0bb01a10 fffff800`025ae7f6 : fffffa80`0d910060 00000000`00000be5 00000000`00000001 00000000`00000000 : nt!IopXxxControlFile+0x607
fffff880`0bb01b40 fffff800`022928d3 : fffffa80`0d910060 00000000`00000001 fffffa80`0ed26060 fffff800`0258aa34 : nt!NtDeviceIoControlFile+0x56
fffff880`0bb01bb0 00000000`75692e09 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0526f078 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x75692e09


STACK_COMMAND:  kb

FOLLOWUP_IP:
mqac!CPacket::ProcessRRRequest+10a
fffff880`05e18c6a 4d8b642404      mov     r12,qword ptr [r12+4]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  mqac!CPacket::ProcessRRRequest+10a

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  X64_0x50_mqac!CPacket::ProcessRRRequest+10a

BUCKET_ID:  X64_0x50_mqac!CPacket::ProcessRRRequest+10a

Followup: MachineOwner
---------

Answer 1

This is not a real answer, but just the final status.

It is some kind of MS' bug: we worked with MS escalation engineers and development team for about half a year, deployed several patches to collect info., without finding the root cause.

After we upgraded from Windows 2008 to 2012, this issue never happens again. We stopped further investigation then.

Not all Win2008 deployments have this issue. But, today, another Win2008 deployment did have this issue again...