Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD, IRQL_NOT_LESS_OR_EQUAL, error in tcpip.sys


  • Please log in to reply
38 replies to this topic

#1 Jack Yan

Jack Yan

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 08 December 2017 - 02:35 AM

Hello there:

Since the Windows 10 Creators fall update, I’ve been having daily BSODs, sometimes twice daily. I have updated my network drivers on seeing the fault lay with tcpip.sys (at least that is what I gathered when the screen goes blue).

   I have included the SysnativeFileCollectionApp.zip, the dump file from Windows\Minidump. Running Speccy gives this URL: http://speccy.piriform.com/results/nXXDEIWOoo0UCVix1QLbHyP

   I will run the tests in step 4 of the BSOD instruction page now.
   Thank you in advance for any light you can shed on this.

Attached Files



BC AdBot (Login to Remove)

 


#2 Jack Yan

Jack Yan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 09 December 2017 - 06:27 AM

PS.: The error code is actually DRIVER_IRQL_NOT_LESS_OR_EQUAL. My apologies.



#3 Jack Yan

Jack Yan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 09 December 2017 - 07:17 AM

I have run Windmp on the dump file. This was the result:
 

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck D1, {3c, 2, 1, fffff8042c893f90}
 
Probably caused by : NETIO.SYS ( NETIO!StreamInjectRequestsToStack+239 )
 
Followup:     MachineOwner
---------


#4 Jack Yan

Jack Yan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 11 December 2017 - 06:41 AM

Good news, it’s fixed after several days.

http://jackyan.com/blog/2017/12/solving-my-bsods-with-windows-10-creators-fall-update-its-not-the-usual-culprits/
 

The network adapter had to be updated personally, via the Realtek website, and not via Windows Update.


Edited by Jack Yan, 11 December 2017 - 06:42 AM.


#5 Jack Yan

Jack Yan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 11 December 2017 - 05:15 PM

Thought I had it licked, but it recurred. Here is the Windmp analysis in further detail.

 

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000003c, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff80a5f3a3f90, address which referenced memory
 
Debugging Details:
------------------
 
 
DUMP_CLASS: 1
 
DUMP_QUALIFIER: 400
 
BUILD_VERSION_STRING:  10.0.16299.98 (WinBuild.160101.0800)
 
SYSTEM_MANUFACTURER:  System manufacturer
 
SYSTEM_PRODUCT_NAME:  System Product Name
 
SYSTEM_SKU:  SKU
 
SYSTEM_VERSION:  System Version
 
BIOS_VENDOR:  American Megatrends Inc.
 
BIOS_VERSION:  1002
 
BIOS_DATE:  08/23/2011
 
BASEBOARD_MANUFACTURER:  ASUSTeK Computer INC.
 
BASEBOARD_PRODUCT:  P8H67-M LE
 
BASEBOARD_VERSION:  Rev X.0x
 
DUMP_TYPE:  2
 
BUGCHECK_P1: 3c
 
BUGCHECK_P2: 2
 
BUGCHECK_P3: 1
 
BUGCHECK_P4: fffff80a5f3a3f90
 
WRITE_ADDRESS: fffff8035de7d380: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
 000000000000003c 
 
CURRENT_IRQL:  2
 
FAULTING_IP: 
tcpip!TcpBeginTcbSend+2c0
fffff80a`5f3a3f90 f0ff403c        lock inc dword ptr [rax+3Ch]
 
CPU_COUNT: 4
 
CPU_MHZ: cdd
 
CPU_VENDOR:  GenuineIntel
 
CPU_FAMILY: 6
 
CPU_MODEL: 2a
 
CPU_STEPPING: 7
 
CPU_MICROCODE: 6,2a,7,0 (F,M,S,R)  SIG: 29'00000000 (cache) 29'00000000 (init)
 
CUSTOMER_CRASH_COUNT:  1
 
DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
 
BUGCHECK_STR:  AV
 
PROCESS_NAME:  System
 
ANALYSIS_SESSION_HOST:  GLADIATOR
 
ANALYSIS_SESSION_TIME:  12-11-2017 22:13:31.0160
 
ANALYSIS_VERSION: 10.0.16299.15 amd64fre
 
TRAP_FRAME:  ffffee875b741090 -- (.trap 0xffffee875b741090)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=00000000f9cf9bc2
rdx=ffffb28e04104530 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80a5f3a3f90 rsp=ffffee875b741220 rbp=ffffee875b741320
 r8=0000000000000000  r9=ffffb28e04104470 r10=ffffb28e04104470
r11=ffffee875b7411c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
tcpip!TcpBeginTcbSend+0x2c0:
fffff80a`5f3a3f90 f0ff403c        lock inc dword ptr [rax+3Ch] ds:00000000`0000003c=????????
Resetting default scope
 
LAST_CONTROL_TRANSFER:  from fffff8035dbf49e9 to fffff8035dbe90e0
 
STACK_TEXT:  
ffffee87`5b740f48 fffff803`5dbf49e9 : 00000000`0000000a 00000000`0000003c 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
ffffee87`5b740f50 fffff803`5dbf2d7d : 00000000`00000014 ffffb28e`041f0798 fffff80a`5f514000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffee87`5b741090 fffff80a`5f3a3f90 : 00000000`00000001 ffffb28e`04195cc0 ffffb28d`fb86cb2c ffffb28e`00000014 : nt!KiPageFault+0x23d
ffffee87`5b741220 fffff80a`5f3a2fcd : ffffb28e`00e96000 ffffee87`5b7416f0 fffff80a`5f514000 00000000`00000000 : tcpip!TcpBeginTcbSend+0x2c0
ffffee87`5b7414a0 fffff80a`5f3a2c05 : ffffb28e`04195cc0 00000000`00000001 00000000`000002bb ffffb28d`fbb2a280 : tcpip!TcpTcbSend+0x2fd
ffffee87`5b741820 fffff80a`5f3a28b7 : 00000000`009a2b39 ffffee87`5b741a00 00000000`0031100b 00000000`00000000 : tcpip!TcpEnqueueTcbSendOlmNotifySendComplete+0xc5
ffffee87`5b741850 fffff80a`5f44dee8 : ffffb28d`fec27080 00000000`00000000 00000000`00004000 ffffb28e`04069440 : tcpip!TcpEnqueueTcbSend+0x2b7
ffffee87`5b741960 fffff80a`5e391201 : fffff80a`00000002 00000000`00000000 ffffee87`5b741a78 fffff80a`5f514000 : tcpip!InetInspectInjectSend+0x18
ffffee87`5b741990 fffff80a`5e391833 : ffffb28d`fbfb9970 ffffb28e`04195cc0 00000000`00000000 00000000`000000cd : NETIO!StreamInjectRequestsToStack+0x239
ffffee87`5b741a70 fffff80a`5e391966 : 00000000`00000000 ffffb28e`00a9f770 00000000`00000002 ffffb28e`04069440 : NETIO!StreamPermitDataHelper+0x5f
ffffee87`5b741aa0 fffff803`5db8114b : ffffb28e`010374f0 ffffb28e`01037400 ffffb28d`fc1fba70 ffffb28e`0132b080 : NETIO!StreamPermitRemoveDataWorkerRoutine+0xe6
ffffee87`5b741b10 fffff803`5dac1e05 : ffffb28d`faede2b0 ffffb28e`04069300 fffff803`5db81050 00000000`00000000 : nt!IopProcessWorkItem+0xfb
ffffee87`5b741b80 fffff803`5daadf87 : 00000000`00000000 00000000`00000080 ffffb28d`faed6040 ffffb28e`04069300 : nt!ExpWorkerThread+0xf5
ffffee87`5b741c10 fffff803`5dbee676 : ffffc381`67c9d180 ffffb28e`04069300 fffff803`5daadf40 00000000`00000246 : nt!PspSystemThreadStartup+0x47
ffffee87`5b741c60 00000000`00000000 : ffffee87`5b742000 ffffee87`5b73c000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
 
 
THREAD_SHA1_HASH_MOD_FUNC:  4e774be22ad200b119eaec04d36c9254793a847f
 
THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  780a68c2aa88c766cab280656d1c86148905a881
 
THREAD_SHA1_HASH_MOD:  ca9ed088408d7268e0908bb3357cdf1d0f735a18
 
FOLLOWUP_IP: 
NETIO!StreamInjectRequestsToStack+239
fffff80a`5e391201 8bf0            mov     esi,eax
 
FAULT_INSTR_CODE:  33df08b
 
SYMBOL_STACK_INDEX:  8
 
SYMBOL_NAME:  NETIO!StreamInjectRequestsToStack+239
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: NETIO
 
IMAGE_NAME:  NETIO.SYS
 
DEBUG_FLR_IMAGE_TIMESTAMP:  302c3e5d
 
IMAGE_VERSION:  10.0.16299.64
 
STACK_COMMAND:  .thread ; .cxr ; kb
 
BUCKET_ID_FUNC_OFFSET:  239
 
FAILURE_BUCKET_ID:  AV_NETIO!StreamInjectRequestsToStack
 
BUCKET_ID:  AV_NETIO!StreamInjectRequestsToStack
 
PRIMARY_PROBLEM_CLASS:  AV_NETIO!StreamInjectRequestsToStack
 
TARGET_TIME:  2017-12-11T22:04:40.000Z
 
OSBUILD:  16299
 
OSSERVICEPACK:  98
 
SERVICEPACK_NUMBER: 0
 
OS_REVISION: 0
 
SUITE_MASK:  784
 
PRODUCT_TYPE:  1
 
OSPLATFORM_TYPE:  x64
 
OSNAME:  Windows 10
 
OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS Personal
 
OS_LOCALE:  
 
USER_LCID:  0
 
OSBUILD_TIMESTAMP:  2017-11-26 11:49:20
 
BUILDDATESTAMP_STR:  160101.0800
 
BUILDLAB_STR:  WinBuild
 
BUILDOSVER_STR:  10.0.16299.98
 
ANALYSIS_SESSION_ELAPSED_TIME:  d91
 
ANALYSIS_SOURCE:  KM
 
FAILURE_ID_HASH_STRING:  km:av_netio!streaminjectrequeststostack
 
FAILURE_ID_HASH:  {c1b2a924-d392-26d5-b3a7-c0515a6a6bac}
 
Followup:     MachineOwner
---------


#6 Jack Yan

Jack Yan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 11 December 2017 - 08:23 PM

Just another update. I have updated Java (despite being set to automatically update, it didn’t) and a remote-access program I use. Coincidentally, looking through the Event Viewer, the hackers were quiet yesterday, and the fact I had no BSODs for a 24-hour period cannot be a coincidence. I’ve blocked the IPs that were coming up using Windows Firewall (set up an incoming rule). I’ve also reported those IPs to abuseipdb.com, and a couple of them were notorious for DDOS and brute-force attacks. They were likely trying to find a way in here.



#7 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 2,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:38 AM

Posted 11 December 2017 - 10:14 PM

Hi,

 

Looks like you've made some significant changes to your system, thus can you run the Sysnative File Collection App again?

 

Thank you.


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#8 Jack Yan

Jack Yan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 12 December 2017 - 05:45 AM

Hi Bleepin’ Owl, thank you, and of course. I’ll attach the Sysnative ZIP as soon as I remember how I did it the first time.

Further changes since my last post: the remote viewing program has been replaced altogether. I had a look in the Event Viewer and it does look like port exhaustion attacks from several parties on the original program I used. So far my computer has stayed up for the last eight hours without any BSODs.

One worry is that Windows 10 Creators fall appears to be more susceptible to falling over as a result of these attacks. Maybe there is something in its default settings—will investigate further.



#9 Jack Yan

Jack Yan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 12 December 2017 - 05:47 AM

Here is the Sysnative ZIP.

Attached Files



#10 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 2,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:38 AM

Posted 12 December 2017 - 11:29 AM

Hello, :)

Thank you. Unfortunately, you have some illegal Adobe software on your machine — you are deliberately blocking Adobe activation with your HOSTS file

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
...
127.0.0.1 adobe-dns-3.adobe.de
127.0.0.1 adobe-dns-4.adobe.com
127.0.0.1 adobe-dns-4.adobe.com
...
127.0.0.1 wwis-dubc1-vip52.adobe.com
127.0.0.1 wwis-dubc1-vip53.adobe.com
127.0.0.1 wwis-dubc1-vip54.adobe.com
127.0.0.1 wwis-dubc1-vip55.adobe.com
127.0.0.1 wwis-dubc1-vip56.adobe.com
127.0.0.1 wwis-dubc1-vip57.adobe.com
127.0.0.1 wwis-dubc1-vip58.adobe.com
127.0.0.1 wwis-dubc1-vip59.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
...
127.0.0.1 www.adobeereg.com
127.0.0.1 www.hh-software.com
127.0.0.1 www.wip.adobe.com
127.0.0.1 www.wip1.adobe.com
...
127.0.0.1 lmlicenses.wip4.adobe.com
127.0.0.1 lm.licenses.adobe.com

Helping you would be a violation of the forum rules, so this will be my last reply to this topic unless you remove ALL illegal software and prove this by providing fresh log files.

There is only one BSOD dump in the older SFCA output; none in the newer one. I suspect CCleaner is the culprit as it automatically deletes dumps and other helpful info … can you stop using it? Anyway, that dump wasn't particularly helpful either … was running into symbol errors (which I am surprised you weren't!).

For now, I can only suggest you run Driver Verifier according to these instructions. Run if for 24 hours as instructed (that is, 24 hours when your computer is ON).

Regards,
bwv848


Edited by bwv848, 12 December 2017 - 11:30 AM.

If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#11 Jack Yan

Jack Yan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 12 December 2017 - 08:39 PM

Hi BWV848, thank you—I am a licensee but had difficulty getting one of the programs in the suite to work again after a crash, and someone suggested blocking those. Not a problem, I’ll remove those entries—this happened years ago and hopefully it won’t recur.



#12 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 2,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:38 AM

Posted 12 December 2017 - 09:32 PM

Okay, great! :) Go ahead and enable DV and after 24 hours (24 hours when you are actually using your computer) send a fresh SFCA ZIP file to me and I'll try to get as much info out of them (even without symbols) as possible.


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#13 Jack Yan

Jack Yan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 13 December 2017 - 03:27 AM

Darn, lost my reply which was in a lot of detail …

Thank you for patience on this. Now, let me see if I can recall what I wrote …

DV didn’t work for me, unfortunately. On rebooting, Windows would stay on for mere seconds before the BSODs came. The error was:
 
Stop code: DRIVER_VERIFIER_DETECTED_VIOLATION
What failed: avgntflt.sys
 
There were three dump files but I could never work fast enough to copy them or to archive them.

After a system restore, only one dump file remained.

I’m not au fait with what symbols mean, but they are missing from this output as well. I’ve created a ZIP file of the remaining dump file and the Windbg result is below. I’ve also run Sysnative again (I know it hasn’t been 24 hours yet).

I had better send this first and attach the files afterwards as I’m worried I’ll lose this message after ‘More Reply Options’.
 
Microsoft ® Windows Debugger Version 10.0.16299.15 AMD64
Copyright © Microsoft Corporation. All rights reserved.
 
 
Loading Dump File [C:\Windows\Minidump\121317-5437-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
 
Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 16299 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff802`1d083000 PsLoadedModuleList = 0xfffff802`1d3e4ff0
Debug session time: Wed Dec 13 08:08:40.143 2017 (UTC + 0:00)
System Uptime: 0 days 0:00:34.873
Loading Kernel Symbols
.
 
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
 
..............................................................
................................................................
......................................................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck C4, {e4, fffff80517e8f940, fffff40a9252c550, 0}
 
*** WARNING: Unable to verify timestamp for avgntflt.sys
*** ERROR: Module load completed but symbols could not be loaded for avgntflt.sys
Probably caused by : avgntflt.sys ( avgntflt+1f940 )
 
Followup:     MachineOwner
---------
 
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught.  This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000e4, Kernel Zw API called with malformed UNICODE_STRING structure as parameter.
Arg2: fffff80517e8f940, Address inside the driver making the incorrect API call.
Arg3: fffff40a9252c550, Address of the incorrect UNICODE_STRING structure.
Arg4: 0000000000000000
 
Debugging Details:
------------------
 
 
DUMP_CLASS: 1
 
DUMP_QUALIFIER: 400
 
BUILD_VERSION_STRING:  10.0.16299.125 (WinBuild.160101.0800)
 
SYSTEM_MANUFACTURER:  System manufacturer
 
SYSTEM_PRODUCT_NAME:  System Product Name
 
SYSTEM_SKU:  SKU
 
SYSTEM_VERSION:  System Version
 
BIOS_VENDOR:  American Megatrends Inc.
 
BIOS_VERSION:  1002
 
BIOS_DATE:  08/23/2011
 
BASEBOARD_MANUFACTURER:  ASUSTeK Computer INC.
 
BASEBOARD_PRODUCT:  P8H67-M LE
 
BASEBOARD_VERSION:  Rev X.0x
 
DUMP_TYPE:  2
 
BUGCHECK_P1: e4
 
BUGCHECK_P2: fffff80517e8f940
 
BUGCHECK_P3: fffff40a9252c550
 
BUGCHECK_P4: 0
 
BUGCHECK_STR:  0xc4_e4
 
FAULTING_IP: 
avgntflt+1f940
fffff805`17e8f940 8bf0            mov     esi,eax
 
FOLLOWUP_IP: 
avgntflt+1f940
fffff805`17e8f940 8bf0            mov     esi,eax
 
CPU_COUNT: 4
 
CPU_MHZ: cdd
 
CPU_VENDOR:  GenuineIntel
 
CPU_FAMILY: 6
 
CPU_MODEL: 2a
 
CPU_STEPPING: 7
 
CPU_MICROCODE: 6,2a,7,0 (F,M,S,R)  SIG: 29'00000000 (cache) 29'00000000 (init)
 
CUSTOMER_CRASH_COUNT:  1
 
DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP
 
PROCESS_NAME:  avguard.exe
 
CURRENT_IRQL:  0
 
ANALYSIS_SESSION_HOST:  GLADIATOR
 
ANALYSIS_SESSION_TIME:  12-13-2017 08:16:45.0931
 
ANALYSIS_VERSION: 10.0.16299.15 amd64fre
 
STACK_TEXT:  
fffff40a`9252c478 fffff802`1d82a2d3 : 00000000`000000c4 00000000`000000e4 fffff805`17e8f940 fffff40a`9252c550 : nt!KeBugCheckEx
fffff40a`9252c480 fffff802`1d844249 : fffff40a`9252c550 00000000`00000000 fffff805`17e8f940 fffffe8e`e2746ff0 : nt!VerifierBugCheckIfAppropriate+0xdf
fffff40a`9252c4c0 fffff802`1d843056 : fffff805`17e8f940 ffffffff`80002f18 fffff40a`9252c550 00000000`00000018 : nt!ViZwCheckUnicodeString+0x7d
fffff40a`9252c500 fffff805`17e8f940 : fffff40a`9252c610 fffff40a`9252c5b0 00000000`00000000 ffffa80c`421c3f90 : nt!VfZwQuerySymbolicLinkObject+0x36
fffff40a`9252c530 fffff40a`9252c610 : fffff40a`9252c5b0 00000000`00000000 ffffa80c`421c3f90 00000000`00010000 : avgntflt+0x1f940
fffff40a`9252c538 fffff40a`9252c5b0 : 00000000`00000000 ffffa80c`421c3f90 00000000`00010000 fffffe8e`e2746ff0 : 0xfffff40a`9252c610
fffff40a`9252c540 00000000`00000000 : ffffa80c`421c3f90 00000000`00010000 fffffe8e`e2746ff0 00000000`00000000 : 0xfffff40a`9252c5b0
 
 
THREAD_SHA1_HASH_MOD_FUNC:  fd7dc5806bd5d6208d07925664ea305f53f4b7b5
 
THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  0257ce16adda1aa35a2215d6dfc77d2ef3ab2299
 
THREAD_SHA1_HASH_MOD:  b5a22253caa2b9d48baed56d35bf18ae97fca6d7
 
FAULT_INSTR_CODE:  43df08b
 
SYMBOL_STACK_INDEX:  4
 
SYMBOL_NAME:  avgntflt+1f940
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: avgntflt
 
IMAGE_NAME:  avgntflt.sys
 
DEBUG_FLR_IMAGE_TIMESTAMP:  5a1d4d05
 
STACK_COMMAND:  .thread ; .cxr ; kb
 
BUCKET_ID_FUNC_OFFSET:  1f940
 
FAILURE_BUCKET_ID:  0xc4_e4_VRF_avgntflt!unknown_function
 
BUCKET_ID:  0xc4_e4_VRF_avgntflt!unknown_function
 
PRIMARY_PROBLEM_CLASS:  0xc4_e4_VRF_avgntflt!unknown_function
 
TARGET_TIME:  2017-12-13T08:08:40.000Z
 
OSBUILD:  16299
 
OSSERVICEPACK:  125
 
SERVICEPACK_NUMBER: 0
 
OS_REVISION: 0
 
SUITE_MASK:  784
 
PRODUCT_TYPE:  1
 
OSPLATFORM_TYPE:  x64
 
OSNAME:  Windows 10
 
OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS Personal
 
OS_LOCALE:  
 
USER_LCID:  0
 
OSBUILD_TIMESTAMP:  2017-12-07 21:55:32
 
BUILDDATESTAMP_STR:  160101.0800
 
BUILDLAB_STR:  WinBuild
 
BUILDOSVER_STR:  10.0.16299.125
 
ANALYSIS_SESSION_ELAPSED_TIME:  17f4
 
ANALYSIS_SOURCE:  KM
 
FAILURE_ID_HASH_STRING:  km:0xc4_e4_vrf_avgntflt!unknown_function
 
FAILURE_ID_HASH:  {ec770f2d-f5ed-d54b-4b12-e283685ebb98}
 
Followup:     MachineOwner


#14 Jack Yan

Jack Yan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 13 December 2017 - 03:28 AM

Here is the dump file and I ran the Sysnative program again.

Attached Files


Edited by Jack Yan, 13 December 2017 - 03:43 AM.


#15 Jack Yan

Jack Yan
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:05:38 AM

Posted 13 December 2017 - 04:53 AM

Sorry about all the messages.

One of the entries in the Event Viewer is:

Installing printer driver Microsoft XPS Document Writer failed, error code 0x0, HRESULT 0x80070705. See the event user data for context information.

Another is:

The print spooler failed to regenerate the printer driver information for driver Microsoft XPS Document Writer for environment Windows x64. Win32 system error code 1797 (0x705). This can occur after an operating system upgrade or because of data loss on the hard drive.

 

I can get the BSOD consistently now if I try to add a printer from Devices and Printers.

I have tried removing the Microsoft XPS Document Writer but it reappears after a reboot, and those events are still present. Windows claims the device is working properly though (under properties).

I have a feeling this may point to the cause, especially with the regular BSODs I can create just by attempting to add a printer. I’ll report more as I tinker with this.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users