Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Blue Screen of Death in Houston

  • Please log in to reply
5 replies to this topic

#1 PWobbe


  • Members
  • 4 posts
  • Local time:12:31 AM

Posted 30 May 2015 - 03:33 PM

First time user... could sure use some help

Attached Files

BC AdBot (Login to Remove)


#2 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • Gender:Not Telling
  • Local time:01:31 AM

Posted 31 May 2015 - 01:19 PM

0: kd> .bugcheck
Bugcheck code 0000000A
Arguments fffffa80`1a998178 00000000`00000002 00000000`00000001 fffff800`02e89a15
0: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0c8b8448 fffff800`02e7ee69 : 00000000`0000000a fffffa80`1a998178 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
fffff880`0c8b8450 fffff800`02e7dae0 : 3ec6a6eb`3b47753b 00250044`00330025 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff880`0c8b8590 fffff800`02e89a15 : 00000000`00000000 fffff880`018125b2 fffffa80`00000000 00000000`00000000 : nt!KiPageFault+0x260 (TrapFrame @ fffff880`0c8b8590)
fffff880`0c8b8720 fffff880`0640cbb2 : 00000000`00000001 fffffa80`040291a0 fffffa80`08e494f0 fffffa80`1a995000 : nt!KeAcquireSpinLockRaiseToDpc+0x55
fffff880`0c8b8770 00000000`00000001 : fffffa80`040291a0 fffffa80`08e494f0 fffffa80`1a995000 00000000`00060000 : npf+0x2bb2
fffff880`0c8b8778 fffffa80`040291a0 : fffffa80`08e494f0 fffffa80`1a995000 00000000`00060000 fffff880`0c8b8798 : 0x1
fffff880`0c8b8780 fffffa80`08e494f0 : fffffa80`1a995000 00000000`00060000 fffff880`0c8b8798 fffff880`0c8b8798 : 0xfffffa80`040291a0
fffff880`0c8b8788 fffffa80`1a995000 : 00000000`00060000 fffff880`0c8b8798 fffff880`0c8b8798 00000000`00000000 : 0xfffffa80`08e494f0
fffff880`0c8b8790 00000000`00060000 : fffff880`0c8b8798 fffff880`0c8b8798 00000000`00000000 fffffa80`08e494f0 : 0xfffffa80`1a995000
fffff880`0c8b8798 fffff880`0c8b8798 : fffff880`0c8b8798 00000000`00000000 fffffa80`08e494f0 fffff880`018ad38b : 0x60000
fffff880`0c8b87a0 fffff880`0c8b8798 : 00000000`00000000 fffffa80`08e494f0 fffff880`018ad38b fffffa80`17b9e8d0 : 0xfffff880`0c8b8798
fffff880`0c8b87a8 00000000`00000000 : fffffa80`08e494f0 fffff880`018ad38b fffffa80`17b9e8d0 fffffa80`17b9e8d0 : 0xfffff880`0c8b8798

One of WinPcap's drivers which pertain to its sniffer software called the KeAcquireSpinLockRaiseToDpc function to reset the IRQL to DISPATCH_LEVEL, and then acquire the lock. What went wrong?


Well, we were at DISPATCH_LEVEL, so the IRQL itself isn't the problem...

0: kd> .trap fffff880`0c8b8590
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000002 rbx=0000000000000000 rcx=fffffa801a998178
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002e89a15 rsp=fffff8800c8b8720 rbp=fffffa801a998178
 r8=fffffa8003fb38f8  r9=0000000000000000 r10=fffffffffffffffe
r11=fffffa80089c6f40 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
fffff800`02e89a15 f0480fba2900    lock bts qword ptr [rcx],0 ds:fffffa80`1a998178=????????????????

Looking at the trapframe for the unhandled exception from the function, we can see it was a LOCK prefix with the BTS instruction - used to perform a read/write on a location of memory in a shared environment. We cannot check rcx's contents due to being a small dump:

0: kd> !pte fffffa801a998178
                                           VA fffffa801a998178
Unable to get PXE FFFFF6FB7DBEDFA8

But we can assume an exception was thrown on this function due to the lock not being serviced.

0: kd> u nt!KeAcquireSpinLockRaiseToDpc+0x55
fffff800`02e89a15 f0480fba2900    lock bts qword ptr [rcx],0
fffff800`02e89a1b 7227            jb      nt!KeAcquireSpinLockRaiseToDpc+0x84 (fffff800`02e89a44)
fffff800`02e89a1d 0faee8          lfence
fffff800`02e89a20 488b7c2460      mov     rdi,qword ptr [rsp+60h]
fffff800`02e89a25 4084f6          test    sil,sil
fffff800`02e89a28 488b742450      mov     rsi,qword ptr [rsp+50h]
fffff800`02e89a2d 0f85e5bcf8ff    jne     nt! ?? ::FNODOBFM::`string'+0x790b (fffff800`02e15718)
fffff800`02e89a33 8ac3            mov     al,bl
0: kd> u fffff800`02e89a44
fffff800`02e89a44 e897dbfdff      call    nt!KxWaitForSpinLockAndAcquire (fffff800`02e675e0)// Possibly hanging here.
fffff800`02e89a49 ff87044b0000    inc     dword ptr [rdi+4B04h]
fffff800`02e89a4f 0187084b0000    add     dword ptr [rdi+4B08h],eax
fffff800`02e89a55 448bc8          mov     r9d,eax
fffff800`02e89a58 ebc6            jmp     nt!KeAcquireSpinLockRaiseToDpc+0x60 (fffff800`02e89a20)
fffff800`02e89a5a 90              nop
fffff800`02e89a5b 90              nop
fffff800`02e89a5c 90              nop

If we check for any unserviced DPCs that would caused a hang-up:

0: kd> !dpcs
CPU Type      KDPC       Function
Failed to read DPC at 0xfffff80003000ff8
Failed to read DPC at 0xfffff80003001018

We can't see because it's a small dump, but they're there.

0: kd> lmvm npf
start             end                 module name
fffff880`0640a000 fffff880`06416000   npf      T (no symbols)           
    Loaded symbol image file: npf.sys
    Image path: \??\C:\Windows\system32\drivers\npf.sys
    Image name: npf.sys
    Timestamp:        Fri Jun 25 12:50:58 2010 (4C24DE72)
    CheckSum:         00011844
    ImageSize:        0000C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

The driver is really old, 2010. Uninstall WinPcap, and if you cannot find it (the usual problem with this driver), just navigate to:


and rename npf.sys to npf.old and restart the computer.

#3 PWobbe

  • Topic Starter

  • Members
  • 4 posts
  • Local time:12:31 AM

Posted 02 June 2015 - 11:23 AM

Thanks for your suggestions.  I have done as you recommend (could not find WinPcap but did manage to rename npf.sys to npf.old and restart the computer).  Am now waiting to see if there is a recurrence of the problem.  Stay tuned....

#4 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • Gender:Not Telling
  • Local time:01:31 AM

Posted 02 June 2015 - 11:26 AM

Let me know how it goes.

#5 PWobbe

  • Topic Starter

  • Members
  • 4 posts
  • Local time:12:31 AM

Posted 09 June 2015 - 02:32 PM

Update: (after a few days of calm) I have had two BSOD crashes in the last 3 days.  I am ready to try the next step that you may have up your sleeve.  Thank you. --Paul

#6 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • Gender:Not Telling
  • Local time:01:31 AM

Posted 09 June 2015 - 03:23 PM

I'll need the crash dumps to see what's going on.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users