0x9f BSOD on each shutdown-Windows 8.1 x64

[5460]

BSOD 0x9f on each shutdown-Windows 8.1 x64

One of my colleagues has just bought a laptop computer. It runs well except that there is a BSOD 0x9f on each shutdown. But if disconnected from the internet before shutting down, it shuts down properly.

The model is HP 15-d101tx, the product specifications can be found here.
The OS is Windows 8.1 x64, not a OEM version, the original OS is Free DOS. Age of hardware is less than one year and Age of OS installation is less than one month. Since I'm not on work today, I can't provide other system information until next week.
I have already installed all the latest drivers from HP, upgraded BIOS to the latest version and installed all the updates with Windows Update.

Following this thread, I checked the dump file with windbg, got the following information

[COLOR=#000000][FONT=Courier]*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 9F, {3, ffffe0004b7cc520, ffffd001251fe960, ffffe0004becadc0}

Probably caused by : ntkrnlmp

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_POWER_STATE_FAILURE (9f)
A driver is causing an inconsistent power state.
Arguments:
Arg1: 0000000000000003, A device object has been blocking an Irp for too long a time
Arg2: ffffe0004b7cc520, Physical Device Object of the stack
Arg3: ffffd001251fe960, Functional Device Object of the stack
Arg4: ffffe0004becadc0, The blocked IRP

Debugging Details:
------------------


DRVPOWERSTATE_SUBCODE:  3

IMAGE_NAME:  ntkrnlmp

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAULTING_MODULE: fffff8001a82d000 tunnel

IRP_ADDRESS:  ffffe0004becadc0

DEVICE_OBJECT: ffffe0004581f050

DRIVER_OBJECT: ffffe0004b82a260

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x9F

PROCESS_NAME:  System

CURRENT_IRQL:  2

STACK_TEXT:  
ffffd001`251fe928 fffff800`84e9336e : 00000000`0000009f 00000000`00000003 ffffe000`4b7cc520 ffffd001`251fe960 : nt!KeBugCheckEx
ffffd001`251fe930 fffff800`84e9328e : ffffe000`4b1a41e0 00000000`00000001 ffffe000`4b1a4218 fffff800`84d7ec19 : nt!PopIrpWatchdogBugcheck+0xde
ffffd001`251fe990 fffff800`84d02e67 : 00000000`00000000 ffffd001`251feae0 ffffe000`4b1a4220 ffffe000`00000002 : nt!PopIrpWatchdog+0x32
ffffd001`251fe9e0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiRetireDpcList+0x4f7


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ntkrnlmp

FAILURE_BUCKET_ID:  X64_0x9F_3_IMAGE_ntkrnlmp

BUCKET_ID:  X64_0x9F_3_IMAGE_ntkrnlmp

Followup: MachineOwner
---------

1: kd> !irp ffffe0004becadc0
Irp is active with 3 stacks 2 is current (= 0xffffe0004becaed8)
 No Mdl: No System Buffer: Thread 00000000:  Irp stack trace.  
     cmd  flg cl Device   File     Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000    

            Args: 00000000 00000000 00000000 00000000
>[ 16, 2]   0 e1 ffffe0004581f050 00000000 fffff80084dadc30-ffffe000491b9270 Success Error Cancel pending
           \Driver\tunnel    nt!PopRequestCompletion
            Args: 00015600 00000001 00000004 00000003
 [  0, 0]   0  0 00000000 00000000 00000000-ffffe000491b9270    

            Args: 00000000 00000000 00000000 00000000
1: kd> lmvm tunnel
start             end                 module name
fffff800`1a82d000 fffff800`1a85a000   tunnel     (pdb symbols)          c:\mss\tunnel.pdb\EEE571A6C3CB4C328CD7139606776EC52\tunnel.pdb
    Loaded symbol image file: tunnel.sys
    Mapped memory image file: c:\mss\tunnel.sys\5215F7912d000\tunnel.sys
    Image path: \SystemRoot\system32\DRIVERS\tunnel.sys
    Image name: tunnel.sys
    Timestamp:        Thu Aug 22 19:35:45 2013 (5215F791)
    CheckSum:         0002B6E4
    ImageSize:        0002D000
    File version:     6.3.9600.16384
    Product version:  6.3.9600.16384
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.6 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     tunnel.sys
    OriginalFilename: tunnel.sys
    ProductVersion:   6.3.9600.16384
    FileVersion:      6.3.9600.16384 (winblue_rtm.130821-1623)
    FileDescription:  Microsoft Tunnel Interface Driver
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
1: kd> !poaction
PopAction: fffff80084f40510
  State..........: 3 - Set System State
  Updates........: 0 
  Action.........: Sleep
  Lightest State.: Hibernate
  Flags..........: 8000000c OverrideApps|Critical
  Irp minor......: SetPower
  System State...: Hibernate
  Hiber Context..: ffffe000478e21a0

Allocated power irps (PopIrpList - fffff80084f4a1b0)

Irp worker threads (PopIrpThreadList - fffff80084f49460)

Broadcast in progress: FALSE

Device State ffffe000458f0160
  Irp minor......: SetPower
  System State...: Hibernate
  Worker thread..: ffffe00049913880
  Status.........: 0
  Waking.........: FALSE
  Cancelled......: FALSE
  Ignore errors..: TRUE
  Ignore not imp.: FALSE

Order:
Level 5 (ffffe000458f0308) -8192/1276313024    Paged, PnP, Video
  WaitSleep:
     ffffe0004c12fdc0: 00000000     
  ReadySleep:
     00000000: 00000000     
couldn't get field value for PO_NOTIFY_ORDER_LEVEL.ReadyS0.Flink


1: kd> !stacks
Proc.Thread  .Thread  Ticks   ThreadState Blocker
GetUlongFromAddress: unable to read from fffff80084fed000
Unable to get value of PsActiveProcessHead.Flink

Threads Processed: 0
[/FONT][/COLOR]

Then I disabled Teredo, 6to4 and ISATAP tunnel, it seems to be OK now, but I don't think tunnel.sys is the criteria since it is a file from microsoft. But I am not a professional on that, the guide said that the [!stacks] can list the kernel stacks, but I got the above error, don't know why. :huh:Could someone give me some help please. Who is the real criteria?
The dump files can be found here, totally 21 minidumps.

Thanks in advance

 

[x BlueRobot]

The !stacks extension will search through the Kernel Address Space of that dump file, a Minidump file will only contain the current memory contents of the last context saved.

 

[x BlueRobot]

Re: BSOD 0x9f on each shutdown-Windows 8.1 x64

Please follow these posting instructions - https://www.sysnative.com/forums/bs...ons-windows-10-8-1-8-7-and-windows-vista.html

 

[5460]

Re: BSOD 0x9f on each shutdown-Windows 8.1 x64

Sorry for the delay. My colleague hasn't brought the notebook to work until this week.

SysnativeFileCollectionApp just keeps saying "Waiting for SystemInfo" . I manually stopped it and zipped the folder.View attachment 10252
Running perfmon /report in an elevated admin CMD prompt got "Access Denied" .

I also uploaded the SysnativeFileCollectionApp folder to the previous OneDrive link, plus a kernel dump and a full dump.
Any help would be appreciated.:lol:

 

[Patrick]

It's really nice to see a user go to the extent you did as far as the debugging goes, kudos.

Tunnel is a MSFT driver, yes. Thanks to your kernel-dump, we can view !stacks now. All through the list we can see:

*** ERROR: Module load completed but symbols could not be loaded for 360AntiHacker64.sys

*** ERROR: Module load completed but symbols could not be loaded for 360FsFlt.sys

*** ERROR: Module load completed but symbols could not be loaded for 360netmon.sys

Just to make sure it's still loaded and you haven't removed it:

2: kd> lmvm 360netmon
start             end                 module name
fffff800`fc714000 fffff800`fc76e000   360netmon   (no symbols)           
    Loaded symbol image file: 360netmon.sys
    Image path: \SystemRoot\system32\DRIVERS\360netmon.sys
    Image name: 360netmon.sys
    Timestamp:        Tue Sep 23 06:38:01 2014

These are all 360 antivirus drivers. I wouldn't touch this antivirus if somebody paid me. Uninstall it ASAP and your crashes should stop unless there's another underlying issue.

 

[5460]

I don't like 360 software neither, but the colleague just trusts them very much. I wanted to uninstall 360 software for a test, but he said "I use 360 on my desktop and another laptop, they both work well, it must be something else that caused the BSOD". Then I'm speechless.
So these 360 drivers are just highly suspected, no direct evidence that they are the cause of the BSOD, right? If so, I have to try to persuade him to agree with the test, pretty hard though.:huh:

Thanks very much for your help. :thumbsup2:

 

[Patrick]

It can just be reinstalled later if it's not the cause, which I'm willing to bet it is. It's not a big deal, really.