[SOLVED] BSOD REFRENCE_BY_POINTER ntoskrnl.exe - Windows 8.1 x64

[christantoan]

Lately my notebook crashed with this message. It especially often happens when it left alone.

· OS - Windows 8.1, 8, 7, Vista ?
Windows 10, but it also happens before I updated to Windows 10 (Windows 8.1)
· x86 (32-bit) or x64 ?
x64
· What was original installed OS on system?
DOS
· Is the OS an OEM version (came pre-installed on system) or full retail version (YOU purchased it from retailer)?
Downloaded from MS
· Age of system (hardware)
2 years
· Age of OS installation - have you re-installed the OS?
Windows 10 - This month
Windows 8.1 - 1 year ago

· CPU
Intel i7 3630M
· Video Card
Intel Integrated
NVidia GeForce 740M
· MotherBoard - (if NOT a laptop)
· Power Supply - brand & wattage (if laptop, skip this one)

· System Manufacturer
ASUS
· Exact model number (if laptop, check label on bottom)
N56VB

· Laptop or Desktop?
Laptop

View attachment perfmon.zip
View attachment SysnativeFileCollectionApp.zip

Thanks

 

[x BlueRobot]

Could you please upload a Kernel Memory Dump? The dump will be located here:

C:\Windows\MEMORY.DMP

Please save in a zipped folder and then upload to a file sharing site like Dropbox.

 

[christantoan]

Here:
https://drive.google.com/file/d/0B8rNWAORE6dsMXdoV2tOZzNKZWM/view?usp=docslist_api

 

[x BlueRobot]

[COLOR=#ff0000]BugCheck 18[/COLOR], {[COLOR=#0000ff]0[/COLOR], [COLOR=#ff8c00]ffffe00065e8c690[/COLOR], 2, fffffffffffffffd}

Probably caused by : afd.sys ( afd! ?? ::NNGAKEGL::`string'+10d9 )

The second parameter contains the address of the object which was being referenced.

3: kd> [COLOR=#008000]!object ffffe00065e8c690[/COLOR]
Object: ffffe00065e8c690  Type: (ffffe0005b606b50) [COLOR=#ff0000]Section[/COLOR]
    ObjectHeader: ffffe00065e8c660 (new version)
    HandleCount: 0  PointerCount: [COLOR=#ff0000]4294967293[/COLOR]

Okay, someone loves this object?

3: kd> [COLOR=#008000]dt nt!_OBJECT_HEADER ffffe00065e8c660[/COLOR]
   +0x000 PointerCount     : [COLOR=#ff0000]0n-3[/COLOR]
   +0x008 HandleCount      : 0n0
   +0x008 NextToFree       : (null) 
   +0x010 Lock             : _EX_PUSH_LOCK
   +0x018 TypeIndex        : 0x25 'Unknown format characterUnknown format control character
   +0x019 TraceFlags       : 0 ''
   +0x019 DbgRefTrace      : 0y0
   +0x019 DbgTracePermanent : 0y0
   +0x01a InfoMask         : 0x4c 'L'
   +0x01b Flags            : 0x42 'B'
   +0x01b NewObject        : 0y0
   +0x01b KernelObject     : 0y1
   +0x01b KernelOnlyAccess : 0y0
   +0x01b ExclusiveObject  : 0y0
   +0x01b PermanentObject  : 0y0
   +0x01b DefaultSecurityQuota : 0y0
   +0x01b SingleHandleEntry : 0y1
   +0x01b DeletedInline    : 0y0
   +0x01c Spare            : 0x760065
   +0x020 ObjectCreateInfo : 0x00000000`00000001 _OBJECT_CREATE_INFORMATION
   +0x020 QuotaBlockCharged : 0x00000000`00000001 Void
   +0x028 SecurityDescriptor : (null) 
   +0x030 Body             : _QUAD

3: kd> [COLOR=#008000].formats 0n-3[/COLOR]
Evaluate expression:
  Hex:     ffffffff`fffffffd
  Decimal: [COLOR=#ff0000]-3[/COLOR]
  Octal:   1777777777777777777775
  Binary:  11111111 11111111 11111111 11111111 11111111 11111111 11111111 11111101
  Chars:   ........
  Time:    ***** Invalid
  Float:   low -1.#QNAN high -1.#QNAN
  Double:  -1.#QNAN

The pointer count appears to have dropped below 0, notice the value of the fourth parameter in the bugcheck?

3: kd> [COLOR=#008000].bugcheck[/COLOR]
Bugcheck code 00000[COLOR=#ff0000]018[/COLOR]
Arguments 00000000`00000000 ffffe000`65e8c690 00000000`00000002 [COLOR=#0000cd]ffffffff`fffffffd[/COLOR]

Here's an extract from the bugcheck description:

It may also occur when the object’s reference count drops below zero
    whether or not there are open handles to the object, and in that case the fourth parameter
    contains the actual value of the pointer references count.

I have a feeling, that Kaspersky might be causing some problems here.

3: kd> [COLOR=#008000]!running
[/COLOR]
System Processors:  (00000000000000ff)
  Idle Processors:  (00000000000000f6)

       Prcbs             Current         (pri) Next            (pri) Idle
  0    fffff803367ee180  [COLOR=#ff0000]ffffe000632a2080[/COLOR] ( 8)                       fffff80336864740  ................
  3    ffffd00141647180  ffffe000639f8040 (12)                       ffffd00141653cc0  ................

3: kd>[COLOR=#008000] !thread ffffe000632a2080[/COLOR]
THREAD ffffe000632a2080  Cid 0c18.0388  Teb: 000000007ed5e000 Win32Thread: 0000000000000000 RUNNING on processor 0
Impersonation token:  ffffc00158da8060 (Level Impersonation)
Owning Process            ffffe00062265080       Image:         [COLOR=#ff0000]avp.exe[/COLOR]
Attached Process          N/A            Image:         N/A
Wait Start TickCount      238103         Ticks: 0
Context Switch Count      26025          IdealProcessor: 0             
UserTime                  00:00:45.375
KernelTime                00:00:11.640
Win32 Start Address 0x00000000733bc59c
Stack Init ffffd000227a2c90 Current ffffd000227a2870
Base ffffd000227a3000 Limit ffffd0002279d000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
00000000`0ad6d024 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x6c43930b

Please temporarily remove KIS, and then reboot your system.

 

[christantoan]

OK. Here's the things I understand from your posts:
1. I should uninstall KIS
2.
From the bugcheck 2nd parameter you get the address of the object being referenced (ffffe00065e8c690).
From there you get the object header (ffffe00065e8c660).
From the object header you get the PointerCount (0n-3); I also noticed that it's zero not O.
Then, because 0n-3 = -3 I got the BSOD.
And I'm lost from there.

Thanks. I'll remove KIS for now. Anything I can do besides just waiting if the BSOD happens again?

 

[x BlueRobot]

I would just wait at the moment, afd.sys is relating to Windows Sockets and KIS is an Internet Security program, and thus will interact with some of the Windows networking components. I used to !running to see which threads were running at the time of the crash, because I noticed that avp.exe (KIS) had the largest pool consumption of the currently running processes, which would make sense due to the large apparent pointer count.

 

[christantoan]

Got a new crash.
Here's the new MEMORY.DMP file:
https://drive.google.com/file/d/0B8rNWAORE6dsbmlwZGZRTk92Rkk/view?usp=sharing

 

[Patrick]

Did you go from Kaspersky to Bitdefender?

Anyway, it may be worth enabling verifier...

Driver Verifier:

What is Driver Verifier?

Driver Verifier monitors Windows kernel-mode drivers, graphics drivers, and even 3rd party drivers to detect illegal function calls or actions that might corrupt the system. Driver Verifier can subject the Windows drivers to a variety of stresses and tests to find improper behavior.

Essentially, if there's a 3rd party driver believed to be causing the issues at hand, enabling Driver Verifier will help us see which specific driver is causing the problem.

Before enabling Driver Verifier, it is recommended to create a System Restore Point:

Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8/8.1 - Restore Point - Create in Windows 8

How to enable Driver Verifier:

Start > type "verifier" without the quotes > Select the following options -

1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (only on Windows 7 & 8/8.1)
- DDI compliance checking (only on Windows 8/8.1)
- Miscellaneous Checks
4. Select - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.

Important information regarding Driver Verifier:

- Perhaps the most important which I will now clarify as this has been misunderstood often, enabling Driver Verifier by itself is not! a solution, but instead a diagnostic utility. It will tell us if a driver is causing your issues, but again it will not outright solve your issues.

- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled per my instructions above, it is monitoring all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.

- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.

If this happens, do not panic, do the following:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > Search > type "cmd" without the quotes.

- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.

- Restart and boot into normal Windows.

If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > type "system restore" without the quotes.

- Choose the restore point you created earlier.

-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods: 5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

How long should I keep Driver Verifier enabled for?

I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.

My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?

- If you have the system set to generate Small Memory Dumps, they will be located in %systemroot%\Minidump.

- If you have the system set to generate Kernel Memory Dumps, it will be located in %systemroot% and labeled MEMORY.DMP.

Any other questions can most likely be answered by this article:

http://support.microsoft.com/kb/244617

 

[christantoan]

Yes, I'm trying BitDefender in case Kaspersky is really the root of the problem.
Running Driver Verifier now.

 

[christantoan]

Got a BSOD immediately at booting process.
Cannot get Safe Mode booted no matter what I tried so I do System Restore from Recovery menu.

Here's the dump file:
https://drive.google.com/file/d/0B8rNWAORE6dsYnZVUDNrN1QwaWc/view?usp=sharing

 

[christantoan]

Rerunning Driver Verifier after disabling SeLow_x64.sys which is not removed after SoftEther VPN uninstall

 

[christantoan]

Here's the new dump file:
https://drive.google.com/file/d/0B8rNWAORE6dsR3hFdWE1bVRnRUU/view?usp=sharing

 

[cluberti]

Looks like networx.sys passed a bad handle object, causing Verifier to flag it as bad:

// Bugcheck 0xC4, one of my favorites - driver verifier detected bad behavior and crashed the box!!!
// Arg 1 is 0xF6, which means there is a bad handle being passed somewhere, and param 2 is the handle,
// param 3 is the process, and param 4 is the address that caused this:
4: kd> .bugcheckBugcheck code 000000C4
Arguments 00000000`000000f6 00000000`00000430 ffffe000`79bd1080 fffff801`f1ec13c6


// networx.exe is indeed the process:
4: kd> !process ffffe00079bd1080
PROCESS ffffe00079bd1080
    SessionId: 1  Cid: 1b38    Peb: 7ff5ffffe000  ParentCid: 1a6c
    DirBase: 198158000  ObjectTable: ffffc0019b8b1040  HandleCount: <Data Not Accessible>
    Image: networx.exe
    VadRoot ffffe000798bee40 Vads 178 Clone 0 Private 3048. Modified 393641. Locked 0.
    DeviceMap ffffc0019710a8d0
    Token                             ffffc001a72068e0
    ElapsedTime                       00:00:24.828
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         261688
    QuotaPoolUsage[NonPagedPool]      25208
    Working Set Sizes (now,min,max)  (7459, 50, 345) (29836KB, 200KB, 1380KB)
    PeakWorkingSetSize                7350
    VirtualSize                       160 Mb
    PeakVirtualSize                   160 Mb
    PageFaultCount                    53692
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      4315

// The handle appears to be a handle to the same process:
4: kd> !handle 430 8
PROCESS ffffe00079bd1080
    SessionId: 1  Cid: 1b38    Peb: 7ff5ffffe000  ParentCid: 1a6c
    DirBase: 198158000  ObjectTable: ffffc0019b8b1040  HandleCount: <Data Not Accessible>
    Image: networx.exe

Handle Error reading handle count.

0430: Object: ffffe0007fad0080  GrantedAccess: 00000000 (Protected) (Audit)


// So what actually happened at that address?  If this is accurate, the compare is going to fail...
4: kd> .trap ffffd000`2532f440
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8027e9c80b0 rsp=ffffd0002532f5d8 rbp=0000000000000000
 r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
r11=ffffd0002532f450 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up di ng nz na pe nc
nt!KiServiceLinkage:
fffff802`7e9c80b0 c3              ret

4: kd> u fffff801`f1ec13c6
networx+0x13c6:
fffff801`f1ec13c6 3d040000c0      cmp     eax,0C0000004h
fffff801`f1ec13cb 8bf8            mov     edi,eax
fffff801`f1ec13cd 756a            jne     networx+0x1439 (fffff801`f1ec1439)
fffff801`f1ec13cf 8b942480000000  mov     edx,dword ptr [rsp+80h]
fffff801`f1ec13d6 33c9            xor     ecx,ecx
fffff801`f1ec13d8 41b8464c5432    mov     r8d,32544C46h
fffff801`f1ec13de ff156cbd0000    call    qword ptr [networx+0xd150 (fffff801`f1ecd150)]
fffff801`f1ec13e4 4885c0          test    rax,rax

4: kd> r @eax
Last set context:
eax=0

4: kd> r @edi
Last set context:
edi=0


// At least from this dump, you need to consider the networx driver is the culprit:
4: kd> lmvm networx
Browse full module list
start             end                 module name
fffff801`f1ec0000 fffff801`f1ed3000   networx    (no symbols)           
    Loaded symbol image file: networx.sys
    Image path: \SystemRoot\system32\drivers\networx.sys
    Image name: networx.sys
    Timestamp:        Fri Apr 17 05:15:23 2015 (5530F95B)
    CheckSum:         000205B0
    ImageSize:        00013000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

https://www.softperfect.com/products/networx/

 

[christantoan]

Ok. Thanks.

Should I rerun Driver Verifier after I remove NetWorx?

 

[Jared]

No, let your computer run normally.
Report back if it crashes.