Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Screen of Death in Houston


  • Please log in to reply
5 replies to this topic

#1 PWobbe

PWobbe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 30 May 2015 - 03:33 PM

First time user... could sure use some help

Attached Files



BC AdBot (Login to Remove)

 


#2 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:48 AM

Posted 31 May 2015 - 01:19 PM

0: kd> .bugcheck
Bugcheck code 0000000A
Arguments fffffa80`1a998178 00000000`00000002 00000000`00000001 fffff800`02e89a15
0: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0c8b8448 fffff800`02e7ee69 : 00000000`0000000a fffffa80`1a998178 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
fffff880`0c8b8450 fffff800`02e7dae0 : 3ec6a6eb`3b47753b 00250044`00330025 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff880`0c8b8590 fffff800`02e89a15 : 00000000`00000000 fffff880`018125b2 fffffa80`00000000 00000000`00000000 : nt!KiPageFault+0x260 (TrapFrame @ fffff880`0c8b8590)
fffff880`0c8b8720 fffff880`0640cbb2 : 00000000`00000001 fffffa80`040291a0 fffffa80`08e494f0 fffffa80`1a995000 : nt!KeAcquireSpinLockRaiseToDpc+0x55
fffff880`0c8b8770 00000000`00000001 : fffffa80`040291a0 fffffa80`08e494f0 fffffa80`1a995000 00000000`00060000 : npf+0x2bb2
fffff880`0c8b8778 fffffa80`040291a0 : fffffa80`08e494f0 fffffa80`1a995000 00000000`00060000 fffff880`0c8b8798 : 0x1
fffff880`0c8b8780 fffffa80`08e494f0 : fffffa80`1a995000 00000000`00060000 fffff880`0c8b8798 fffff880`0c8b8798 : 0xfffffa80`040291a0
fffff880`0c8b8788 fffffa80`1a995000 : 00000000`00060000 fffff880`0c8b8798 fffff880`0c8b8798 00000000`00000000 : 0xfffffa80`08e494f0
fffff880`0c8b8790 00000000`00060000 : fffff880`0c8b8798 fffff880`0c8b8798 00000000`00000000 fffffa80`08e494f0 : 0xfffffa80`1a995000
fffff880`0c8b8798 fffff880`0c8b8798 : fffff880`0c8b8798 00000000`00000000 fffffa80`08e494f0 fffff880`018ad38b : 0x60000
fffff880`0c8b87a0 fffff880`0c8b8798 : 00000000`00000000 fffffa80`08e494f0 fffff880`018ad38b fffffa80`17b9e8d0 : 0xfffff880`0c8b8798
fffff880`0c8b87a8 00000000`00000000 : fffffa80`08e494f0 fffff880`018ad38b fffffa80`17b9e8d0 fffffa80`17b9e8d0 : 0xfffff880`0c8b8798

One of WinPcap's drivers which pertain to its sniffer software called the KeAcquireSpinLockRaiseToDpc function to reset the IRQL to DISPATCH_LEVEL, and then acquire the lock. What went wrong?

 

Well, we were at DISPATCH_LEVEL, so the IRQL itself isn't the problem...

0: kd> .trap fffff880`0c8b8590
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000002 rbx=0000000000000000 rcx=fffffa801a998178
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002e89a15 rsp=fffff8800c8b8720 rbp=fffffa801a998178
 r8=fffffa8003fb38f8  r9=0000000000000000 r10=fffffffffffffffe
r11=fffffa80089c6f40 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
nt!KeAcquireSpinLockRaiseToDpc+0x55:
fffff800`02e89a15 f0480fba2900    lock bts qword ptr [rcx],0 ds:fffffa80`1a998178=????????????????

Looking at the trapframe for the unhandled exception from the function, we can see it was a LOCK prefix with the BTS instruction - used to perform a read/write on a location of memory in a shared environment. We cannot check rcx's contents due to being a small dump:

0: kd> !pte fffffa801a998178
                                           VA fffffa801a998178
PXE at FFFFF6FB7DBEDFA8    PPE at FFFFF6FB7DBF5000    PDE at FFFFF6FB7EA006A0    PTE at FFFFF6FD400D4CC0
Unable to get PXE FFFFF6FB7DBEDFA8

But we can assume an exception was thrown on this function due to the lock not being serviced.

0: kd> u nt!KeAcquireSpinLockRaiseToDpc+0x55
nt!KeAcquireSpinLockRaiseToDpc+0x55:
fffff800`02e89a15 f0480fba2900    lock bts qword ptr [rcx],0
fffff800`02e89a1b 7227            jb      nt!KeAcquireSpinLockRaiseToDpc+0x84 (fffff800`02e89a44)
fffff800`02e89a1d 0faee8          lfence
fffff800`02e89a20 488b7c2460      mov     rdi,qword ptr [rsp+60h]
fffff800`02e89a25 4084f6          test    sil,sil
fffff800`02e89a28 488b742450      mov     rsi,qword ptr [rsp+50h]
fffff800`02e89a2d 0f85e5bcf8ff    jne     nt! ?? ::FNODOBFM::`string'+0x790b (fffff800`02e15718)
fffff800`02e89a33 8ac3            mov     al,bl
0: kd> u fffff800`02e89a44
nt!KeAcquireSpinLockRaiseToDpc+0x84:
fffff800`02e89a44 e897dbfdff      call    nt!KxWaitForSpinLockAndAcquire (fffff800`02e675e0)// Possibly hanging here.
fffff800`02e89a49 ff87044b0000    inc     dword ptr [rdi+4B04h]
fffff800`02e89a4f 0187084b0000    add     dword ptr [rdi+4B08h],eax
fffff800`02e89a55 448bc8          mov     r9d,eax
fffff800`02e89a58 ebc6            jmp     nt!KeAcquireSpinLockRaiseToDpc+0x60 (fffff800`02e89a20)
fffff800`02e89a5a 90              nop
fffff800`02e89a5b 90              nop
fffff800`02e89a5c 90              nop

If we check for any unserviced DPCs that would caused a hang-up:

0: kd> !dpcs
CPU Type      KDPC       Function
Failed to read DPC at 0xfffff80003000ff8
Failed to read DPC at 0xfffff80003001018

We can't see because it's a small dump, but they're there.

0: kd> lmvm npf
start             end                 module name
fffff880`0640a000 fffff880`06416000   npf      T (no symbols)           
    Loaded symbol image file: npf.sys
    Image path: \??\C:\Windows\system32\drivers\npf.sys
    Image name: npf.sys
    Timestamp:        Fri Jun 25 12:50:58 2010 (4C24DE72)
    CheckSum:         00011844
    ImageSize:        0000C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

The driver is really old, 2010. Uninstall WinPcap, and if you cannot find it (the usual problem with this driver), just navigate to:

C:\Windows\system32\drivers

and rename npf.sys to npf.old and restart the computer.



#3 PWobbe

PWobbe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 02 June 2015 - 11:23 AM

Thanks for your suggestions.  I have done as you recommend (could not find WinPcap but did manage to rename npf.sys to npf.old and restart the computer).  Am now waiting to see if there is a recurrence of the problem.  Stay tuned....



#4 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:48 AM

Posted 02 June 2015 - 11:26 AM

Let me know how it goes.



#5 PWobbe

PWobbe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 09 June 2015 - 02:32 PM

Update: (after a few days of calm) I have had two BSOD crashes in the last 3 days.  I am ready to try the next step that you may have up your sleeve.  Thank you. --Paul



#6 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:48 AM

Posted 09 June 2015 - 03:23 PM

I'll need the crash dumps to see what's going on.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users