Great, thank you very much!
I downloaded all four::
SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1) as we've seen above.
This indicates that the driver wrote to an invalid section of the special pool.
However, this time, we have a kernel!
Taking a look at the call stack:
Code:
2: kd> knL
# Child-SP RetAddr Call Site
00 ffffd000`28d18468 fffff800`f4078f0e nt!KeBugCheckEx
01 ffffd000`28d18470 fffff800`f4079940 nt!MiCheckSpecialPoolSlop+0x8a
02 ffffd000`28d184b0 fffff800`f411f316 nt!MmFreeSpecialPool+0x14c
03 ffffd000`28d185e0 fffff800`003602b4 nt!ExFreePoolWithTag+0x1046
04 ffffd000`28d186b0 fffff800`f44ef128 VerifierExt!ExFreePoolWithTag_wrapper+0x10
05 ffffd000`28d186e0 fffff800`00e6f024 nt!VerifierExFreePoolWithTag+0x44
06 ffffd000`28d18710 fffff800`0400c6ec ndis!NdisFreeNetBufferList+0x124
07 ffffd000`28d18790 fffff800`04010b81 nwifi!Dot11FreeSendPacket+0xa0
08 ffffd000`28d187c0 fffff800`0400c62c nwifi!Dot11SendNBComplete+0x31
09 ffffd000`28d18810 fffff800`0400fee9 nwifi!Dot11SendCompletion+0x44
0a ffffd000`28d18840 fffff800`00e706b0 nwifi!Pt6SendComplete+0x1d
0b ffffd000`28d18870 fffff800`00ecc301 ndis!NdisMSendNetBufferListsComplete+0x1e0
0c ffffd000`28d189e0 fffff800`03370a06 ndis!ndisVerifierNdisMSendNetBufferListsComplete+0x21
0d ffffd000`28d18a20 fffff800`030d5c40 bcmwl63a+0x2bfa06
0e ffffd000`28d18a90 fffff800`03376750 bcmwl63a+0x24c40
0f ffffd000`28d18ac0 fffff800`f3f2da0e bcmwl63a+0x2c5750
10 ffffd000`28d18af0 fffff800`f3f2e1b9 nt!IopProcessWorkItem+0x76
11 ffffd000`28d18b50 fffff800`f3f1a2e4 nt!ExpWorkerThread+0x2b5
12 ffffd000`28d18c00 fffff800`f3fe12c6 nt!PspSystemThreadStartup+0x58
13 ffffd000`28d18c60 00000000`00000000 nt!KiStartSystemThread+0x16
We have a few network related calls, specifically from nwifi, ndis, etc. VRF flagged the
bcmwl63a.sys driver which we can see in the stack. This is the Broadcom 802.11 Network Adapter wireless driver.
Regarding network drivers, I can see:
-- e22w8x64.sys > Wed Mar 20 17:24:01 2013
^^ Killer Networks Ethernet Card driver.
&
-- bwcW8x64.sys > Wed Feb 13 12:25:48 2013
^^ Broadcom 802.11 Network Adapter wireless driver.
I imagine Killer is for LAN and the Broadcam is the WAN.
Are all of your network drivers up to date via Dell's website?
IRQL_NOT_LESS_OR_EQUAL (a)
This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.
This bug check is issued if paged memory (or invalid memory) is accessed when the IRQL is too high. The error that generates this bug check usually occurs after the installation of a faulty device driver, system service, or BIOS.
Code:
1: kd> .bugcheck
Bugcheck code 0000000A
Arguments fffffd00`2a77d858 00000000`00000002 00000000`00000000 fffff800`113f7141
2nd parameter - IRQL 2
3rd parameter - 0 = 0x0, which equals READ (WRITE is 0x1). I believe it may have crashed attempting to write to fffffd002a77d858.
4th parameter - Failing instruction address.
*0xA crashes generally occur when there's a failure to access a memory address, which at lower IRQLs equals a page fault. IRQL 2 and higher, page faults cannot occur.
Let's look at the call stack:
Code:
1: kd> kvnL
# Child-SP RetAddr : Args to Child : Call Site
00 ffffd000`2a6ea018 fffff800`113607e9 : 00000000`0000000a fffffd00`2a77d858 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
01 ffffd000`2a6ea020 fffff800`1135f03a : 00000000`00000000 8000d563`7d481963 00000000`00000000 ffffd000`2a6ea160 : nt!KiBugCheckDispatch+0x69
02 ffffd000`2a6ea160 fffff800`113f7141 : 00000202`0018002b ffffd000`2a6ea340 00000000`00000000 fffff6e0`00076ba8 : nt!KiPageFault+0x23a (TrapFrame @ ffffd000`2a6ea160)
03 ffffd000`2a6ea2f0 fffff800`1136eae2 : fffff6e8`0011c158 ffffd000`2a6ea380 00000000`00000000 ffffd000`2a77d830 : nt!MiRaisedIrqlFault+0x185
04 ffffd000`2a6ea330 fffff800`1135ef2f : 00000000`00000001 fffff6e8`0011c158 ffffe000`104c3000 ffffd000`2a6ea470 : nt! ?? ::FNODOBFM::`string'+0x9942
05 ffffd000`2a6ea470 fffff800`1135dad0 : fffff800`11266e5d 00000000`00000000 fffff800`00000000 00000000`00000001 : nt!KiPageFault+0x12f (TrapFrame @ ffffd000`2a6ea470)
06 ffffd000`2a6ea608 fffff800`11266e5d : 00000000`00000000 fffff800`00000000 00000000`00000001 fffff680`000a6908 : nt!KeZeroPages+0x10
07 ffffd000`2a6ea610 fffff800`11235b6d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiZeroPhysicalPage+0x181
08 ffffd000`2a6ea660 fffff800`11237815 : ffffe000`0000007f 00000000`00000000 0000000f`ffffffff ffffe000`104c0e98 : nt!MiGetZeroedPages+0x265
09 ffffd000`2a6ea6d0 fffff800`1123a6f7 : 00000000`00000001 00000000`14d22000 ffffd000`2a6eab00 ffffc000`0ed76090 : nt!MiResolveDemandZeroFault+0x805
0a ffffd000`2a6ea7f0 fffff800`112394fb : ffffd000`2a6eaa88 00000000`14d22000 fffff680`000a6910 ffffe000`104c0de8 : nt!MiResolveProtoPteFault+0x5d7
0b ffffd000`2a6ea890 fffff800`11243124 : ffffe000`104c3080 00000000`00000000 00000000`00000000 ffffd000`2a6eaa50 : nt!MiDispatchFault+0x9ab
0c ffffd000`2a6ea9c0 fffff800`1135ef2f : 00000000`00000001 00000000`00b4dab8 ffffd000`00000001 ffffd000`2a6eab00 : nt!MmAccessFault+0x364
0d ffffd000`2a6eab00 00000000`51b2a058 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x12f (TrapFrame @ ffffd000`2a6eab00)
0e 00000000`00b4da44 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x51b2a058
Code:
1: kd> .trap 0xffffd0002a6ea470
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=ffffd0002382b000
rdx=0000000000000020 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8001135dad0 rsp=ffffd0002a6ea608 rbp=0000000000000001
r8=8000d5637d481963 r9=00000904c0000000 r10=000000000000003f
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nt!KeZeroPages+0x10:
Page d5637d481 too large to be in the dump file.
fffff800`1135dad0 480fc301 movnti qword ptr [rcx],rax ds:ffffd000`2382b000=????????????????
Code:
1: kd> kvnL
*** Stack trace for last set context - .thread/.cxr resets it
# Child-SP RetAddr : Args to Child : Call Site
00 ffffd000`2a6ea608 fffff800`11266e5d : 00000000`00000000 fffff800`00000000 00000000`00000001 fffff680`000a6908 : nt!KeZeroPages+0x10
01 ffffd000`2a6ea610 fffff800`11235b6d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiZeroPhysicalPage+0x181
02 ffffd000`2a6ea660 fffff800`11237815 : ffffe000`0000007f 00000000`00000000 0000000f`ffffffff ffffe000`104c0e98 : nt!MiGetZeroedPages+0x265
03 ffffd000`2a6ea6d0 fffff800`1123a6f7 : 00000000`00000001 00000000`14d22000 ffffd000`2a6eab00 ffffc000`0ed76090 : nt!MiResolveDemandZeroFault+0x805
04 ffffd000`2a6ea7f0 fffff800`112394fb : ffffd000`2a6eaa88 00000000`14d22000 fffff680`000a6910 ffffe000`104c0de8 : nt!MiResolveProtoPteFault+0x5d7
05 ffffd000`2a6ea890 fffff800`11243124 : ffffe000`104c3080 00000000`00000000 00000000`00000000 ffffd000`2a6eaa50 : nt!MiDispatchFault+0x9ab
06 ffffd000`2a6ea9c0 fffff800`1135ef2f : 00000000`00000001 00000000`00b4dab8 ffffd000`00000001 ffffd000`2a6eab00 : nt!MmAccessFault+0x364
07 ffffd000`2a6eab00 00000000`51b2a058 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x12f (TrapFrame @ ffffd000`2a6eab00)
08 00000000`00b4da44 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x51b2a058
Definitely looks like a driver issue, most likely the wireless as we saw flagged in the *C1. A lot of page faults were occurring in the original stack, and disassembly doesn't appear very easy and/or possible. I get a memory access error when attempting to access the rip register.
I've checked the modules list left & right, and unless I am missing any, I can't seem to locate any security and/or firewall software installed? Just to be sure, do you have any?
Regards,
Patrick