Thanks!
All of the attached DMP files are of the
KMODE_EXCEPTION_NOT_HANDLED (1e) bug check.
This indicates that a kernel-mode program generated an exception which the error handler did not catch.
BugCheck 1E, {
ffffffffc0000005, fffff8800a9f6bf0, 0, 0}
^^ The 1st parameter is 0xc0000005 which indicates an access violation occurred, let's see what caused it:
Code:
6: kd> .exr 0xfffff8800a9f7b18
ExceptionAddress: fffff88001dd86b3 (ksecdd!KsecProcessSecurityContext+0x0000000000000293)
ExceptionCode: c0000005 (Access violation)
If we take a look at the call stack:
Code:
6: kd> kv
Child-SP RetAddr : Args to Child : Call Site
fffff880`0a9f6b38 fffff800`0391f1bb : 00000000`0000001e ffffffff`c0000005 fffff880`0a9f6bf0 00000000`00000000 : nt!KeBugCheckEx
fffff880`0a9f6b40 fffff800`038e0d18 : ffbca55a`ffbba359 ffbfa85d`ffbda75c ffc3ac61`ffc1aa5f ffc9b065`ffc7ae64 : nt!KipFatalFilter+0x1b
fffff880`0a9f6b80 fffff800`038b8cdc : ffdac478`ffd9c376 ffdeca7c`ffddc97a ffe1cd7d`ffdfcc7d ffe3d181`ffe2cf7f : nt! ?? ::FNODOBFM::`string'+0x83d
fffff880`0a9f6bc0 fffff800`038b875d : fffff800`039d9d74 fffff880`0a9f8460 00000000`00000000 fffff800`03818000 : nt!_C_specific_handler+0x8c
fffff880`0a9f6c30 fffff800`038b7535 : fffff800`039d9d74 fffff880`0a9f6ca8 fffff880`0a9f7b18 fffff800`03818000 : nt!RtlpExecuteHandlerForException+0xd
fffff880`0a9f6c60 fffff800`038c84c1 : fffff880`0a9f7b18 fffff880`0a9f7370 fffff880`00000000 fffff880`0a9f7f40 : nt!RtlDispatchException+0x415
fffff880`0a9f7340 fffff800`0388d242 : fffff880`0a9f7b18 fffff880`0a9f7f70 fffff880`0a9f7bc0 fffff880`0a9f7f90 : nt!KiDispatchException+0x135
fffff880`0a9f79e0 fffff800`0388bdba : 00000000`00000000 00000000`00000010 00000000`00000000 fffff880`0a9f7f70 : nt!KiExceptionDispatch+0xc2
fffff880`0a9f7bc0 fffff880`01dd86b3 : fffff880`00000000 fffff880`0a9f7dc8 00000000`00000000 fffff880`0a9f7f40 : nt!KiPageFault+0x23a (TrapFrame @ fffff880`0a9f7bc0)
fffff880`0a9f7d50 fffff880`01de86a6 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000001 : ksecdd!KsecProcessSecurityContext+0x293
fffff880`0a9f7e50 fffff880`02053c84 : 00000000`00000000 fffffa80`06c8ca0c fffffa80`073e0a00 00000000`00000000 : ksecdd!InitializeSecurityContextW+0x66
fffff880`0a9f7eb0 fffff880`02054b0e : 00000000`0003a7f7 00000000`0003a7f7 00000000`00000100 01cf2dac`8e2a5464 : tcpip!WfpAlepCreateTokenFromLogonId+0x1c4
fffff880`0a9f7fd0 fffff880`02053a02 : fffffa80`06f186c0 fffffa80`073e0ac0 fffffa80`06f186c0 fffffa80`0ae138b0 : tcpip!WfpAleCreateTokenFromLogonId+0x2e
fffff880`0a9f8050 fffff880`02054075 : 00000000`00000000 fffffa80`073e0ac0 00000000`00000000 fffffa80`06f186c0 : tcpip!WfpAlepSetSecurity+0x282
fffff880`0a9f8120 fffff880`0208ce5a : 0000a310`e54752bc fffff880`0a9f83c8 fffff880`0a9f8320 fffff880`0206d8d6 : tcpip!WfpAleProcessSecureSocketControl+0xa5
fffff880`0a9f82b0 fffff880`02077cb9 : 00000000`00004800 fffff880`01e892a0 00000000`00000000 fffffa80`0bd10cf0 : tcpip!InetInspectSecureSocketControl+0x2a
fffff880`0a9f8300 fffff880`02077137 : 00000000`00004800 fffff880`07a61160 fffffa80`0bd10d38 fffff880`0a9f8570 : tcpip!TcpSetSockOptEndpoint+0x4a9
fffff880`0a9f8400 fffff800`03899878 : 80000800`00000000 80000800`00000001 00000000`00000000 00000000`00000000 : tcpip!TcpTlEndpointIoControlEndpointCalloutRoutine+0x107
fffff880`0a9f8460 fffff880`020771c0 : fffff880`02077030 00000000`00000000 fffff880`01fa5500 00000000`00000001 : nt!KeExpandKernelStackAndCalloutEx+0xd8
fffff880`0a9f8540 fffff880`07a61066 : fffffa80`073d7701 fffffa80`07237ee0 fffffa80`073d7710 00000000`00000000 : tcpip!TcpTlEndpointIoControlEndpoint+0x70
fffff880`0a9f85b0 fffff880`07a606f0 : 00000000`980000c8 00000000`00000000 fffffa80`07237ee0 fffffa80`072461d0 : afd!WskProTLControlRequest+0x136
fffff880`0a9f8640 fffff880`07a60b0b : fffffa80`0c795c10 fffffa80`07237ee0 fffffa80`072461d0 fffff800`03a33a28 : afd!WskProControlSocketCore+0x110
fffff880`0a9f86c0 fffff880`09c836c0 : fffffa80`00000468 fffffa80`0c795c10 00000000`00000000 00000000`000007ff : afd!WskProAPIControlSocket+0x9b
fffff880`0a9f8730 fffff880`09c82de6 : 00000000`00000001 fffff880`07a72400 00000000`00000000 00000000`00000700 : mrxsmb!SmbWskSetSocketOptions+0x1f0
fffff880`0a9f87f0 fffff880`09c7b082 : fffffa80`0b203160 fffffa80`0c396201 00000000`00000080 fffffa80`0b203160 : mrxsmb!SmbWskInitiateAsynchronousConnect+0x1a6
fffff880`0a9f8940 fffff880`09c813a9 : 00000000`00000000 00000000`00000004 fffffa80`0c3962f0 00000000`00000000 : mrxsmb!RxCeInitiateConnectRequest+0x52
fffff880`0a9f8970 fffff880`09c81ba5 : fffff880`09c95f00 fffffa80`0c3962f0 fffff880`07b83110 00000000`aaaaaaaa : mrxsmb!RxCeBuildConnectionOverMultipleTransports+0x659
fffff880`0a9f8b00 fffff880`07b691b1 : fffff880`07b844a8 00000000`00000080 fffff880`07b83110 fffffa80`0c396390 : mrxsmb!RxCeInitiateConnection+0x151
fffff880`0a9f8b40 fffff800`03b2a2ea : fffff880`07b844a8 fffff880`07b848f8 fffff880`0a9f8c00 fffffa80`0ca8e600 : rdbss!RxpWorkerThreadDispatcher+0x1a1
fffff880`0a9f8c00 fffff800`0387e8e6 : fffff800`03a08e80 fffffa80`0ca8e690 fffff800`03a16cc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`0a9f8c40 00000000`00000000 : fffff880`0a9f9000 fffff880`0a9f3000 fffff880`0a9f6c50 00000000`00000000 : nt!KiStartSystemThread+0x16
^^ Various network routines... i.e - mrxsmb, afd, tcpip, kscedd, etc.
Code:
6: kd> .trap fffff880`0a9f7bc0
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=00000000002e0a70
rdx=fffff8800a9f7de8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88001dd86b3 rsp=fffff8800a9f7d50 rbp=0000000000000000
r8=fffff8800a9f7e58 r9=00000000002e0a70 r10=fffffa8006d57d60
r11=fffff8a0046c4000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
ksecdd!KsecProcessSecurityContext+0x293:
Code:
6: kd> u @rip
ksecdd!KsecProcessSecurityContext+0x293:
fffff880`01dd86b3 ff5010 call qword ptr [rax+10h]
fffff880`01dd86b6 448bf0 mov r14d,eax
fffff880`01dd86b9 85c0 test eax,eax
fffff880`01dd86bb 780d js ksecdd!KsecProcessSecurityContext+0x2aa (fffff880`01dd86ca)
fffff880`01dd86bd 488b8c2408010000 mov rcx,qword ptr [rsp+108h]
fffff880`01dd86c5 49894c2408 mov qword ptr [r12+8],rcx
fffff880`01dd86ca 4585f6 test r14d,r14d
fffff880`01dd86cd 0f89e0feffff jns ksecdd!KsecProcessSecurityContext+0x193 (fffff880`01dd85b3)
^^ More mention of
ksecdd!KsecProcessSecurityContext after some disassembly.
This is very likely a driver (likely security related) causing network conflicts.
-----------------
1. Remove and replace BitDefender with Microsoft Security Essentials for temporary troubleshooting purposes:
BitDefender removal - How to uninstall Bitdefender
MSE - Microsoft Security Essentials - Microsoft Windows
2. In your loaded drivers list, dtsoftbus01.sys is listed which is the Daemon Tools driver. Daemon Tools is a very popular cause of BSOD's in 7/8 based systems. Please uninstall Daemon Tools. Alternative imaging programs are: MagicISO, Power ISO, etc.
3. If you're still crashing after both of the above, enable Driver Verifier:
Driver Verifier:
What is Driver Verifier?
Driver Verifier is included in Windows 8, 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows 2000, Windows XP, and Windows Server 2003 to promote stability and reliability; you can use this tool to troubleshoot driver issues. Windows kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model (WDM) driver.
Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.
Before enabling Driver Verifier, it is recommended to create a System Restore Point:
Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8 -
Restore Point - Create in Windows 8
How to enable Driver Verifier:
Start > type "verifier" without the quotes > Select the following options -
1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (Windows 7 & 8)
- DDI compliance checking (Windows 8)
- Miscellaneous Checks
4. Select - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is
NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.
Important information regarding Driver Verifier:
- If Driver Verifier finds a violation, the system will BSOD.
- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will flag it, and as stated above, that will cause / force a BSOD.
If this happens, do
not panic, do the following:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > Search > type "cmd" without the quotes.
- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
・ Restart and boot into normal Windows.
If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > type "system restore" without the quotes.
- Choose the restore point you created earlier.
How long should I keep Driver Verifier enabled for?
It varies, many experts and analysts have different recommendations. Personally, I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier.
My system BSOD'd, where can I find the crash dumps?
They will be located in %systemroot%\Minidump
Any other questions can most likely be answered by this article:
Using Driver Verifier to identify issues with Windows drivers for advanced users
Regards,
Patrick