Intermittent BSODs - Windows 8.1 Pro x64

[toastpaint]

· OS - Windows 8.1, 8, 7, Vista ?

8.1 Pro

· x86 (32-bit) or x64 ?

x64

· What was original installed OS on system?

8.1 Pro x64

· Is the OS an OEM version (came pre-installed on system) or full retail version (YOU purchased it from retailer)?

Full Retail

· Age of system (hardware)

2-3 years

· Age of OS installation - have you re-installed the OS?

Approx 6 months?

· CPU

Intel i7-2700K

· Video Card

GTX580

· MotherBoard - (if NOT a laptop)

Intel Desktop Board DP67BG

· System Manufacturer

BYO


View attachment report.zipView attachment 14809
Just seems to occur randomly, in the middle of browsing. Thanks so much for your help :)

 

[Patrick]

I'm almost positive F-Secure is behind this.

Enable verifier and let's see.

Driver Verifier:

What is Driver Verifier?

Driver Verifier monitors Windows kernel-mode drivers, graphics drivers, and even 3rd party drivers to detect illegal function calls or actions that might corrupt the system. Driver Verifier can subject the Windows drivers to a variety of stresses and tests to find improper behavior.

Essentially, if there's a 3rd party driver believed to be causing the issues at hand, enabling Driver Verifier will help us see which specific driver is causing the problem.

Before enabling Driver Verifier, it is recommended to create a System Restore Point:

Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8/8.1 - Restore Point - Create in Windows 8

How to enable Driver Verifier:

Start > type "verifier" without the quotes > Select the following options -

1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (only on Windows 7 & 8/8.1)
- DDI compliance checking (only on Windows 8/8.1)
- Miscellaneous Checks
4. Select - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.

Important information regarding Driver Verifier:

- Perhaps the most important which I will now clarify as this has been misunderstood often, enabling Driver Verifier by itself is not! a solution, but instead a diagnostic utility. It will tell us if a driver is causing your issues, but again it will not outright solve your issues.

- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled per my instructions above, it is monitoring all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.

- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.

If this happens, do not panic, do the following:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > Search > type "cmd" without the quotes.

- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.

- Restart and boot into normal Windows.

If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > type "system restore" without the quotes.

- Choose the restore point you created earlier.

-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods: 5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

How long should I keep Driver Verifier enabled for?

I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.

My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?

- If you have the system set to generate Small Memory Dumps, they will be located in %systemroot%\Minidump.

- If you have the system set to generate Kernel Memory Dumps, it will be located in %systemroot% and labeled MEMORY.DMP.

Any other questions can most likely be answered by this article:

http://support.microsoft.com/kb/244617

 

[toastpaint]

Yep, that's triggered a different BSOD, and it does appear to be related to F-Secure. View attachment 072815-14078-01.zip

********************************************************************************                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************


DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcf80529f8f6c, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff80175093e87, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, (reserved)


Debugging Details:
------------------




READ_ADDRESS: unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
 ffffcf80529f8f6c 


FAULTING_IP: 
fsni64+5e87
fffff801`75093e87 8b4f4c          mov     ecx,dword ptr [rdi+4Ch]


MM_INTERNAL_CODE:  0


IMAGE_NAME:  fsni64.sys


DEBUG_FLR_IMAGE_TIMESTAMP:  559e65e2


MODULE_NAME: fsni64


FAULTING_MODULE: fffff8017508e000 fsni64


DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT


BUGCHECK_STR:  0xD5


PROCESS_NAME:  System


CURRENT_IRQL:  0


ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre


TRAP_FRAME:  ffffd0017a1ee860 -- (.trap 0xffffd0017a1ee860)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffc00004376000 rbx=0000000000000000 rcx=00000000000003e9
rdx=0000000000000002 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80175093e87 rsp=ffffd0017a1ee9f0 rbp=ffffd0017a1eea20
 r8=0000000000000000  r9=0000000000000001 r10=0000000000000000
r11=ffffe001853ddfc8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
fsni64+0x5e87:
fffff801`75093e87 8b4f4c          mov     ecx,dword ptr [rdi+4Ch] ds:00000000`0000004c=????????
Resetting default scope


LAST_CONTROL_TRANSFER:  from fffff802b759505e to fffff802b7565ca0


STACK_TEXT:  
ffffd001`7a1ee5f8 fffff802`b759505e : 00000000`00000050 ffffcf80`529f8f6c 00000000`00000000 ffffd001`7a1ee860 : nt!KeBugCheckEx
ffffd001`7a1ee600 fffff802`b7468839 : 00000000`00000000 ffffe001`79a3d8c0 ffffd001`7a1ee860 fffff801`7508fcdf : nt! ?? ::FNODOBFM::`string'+0x1ee9e
ffffd001`7a1ee6a0 fffff802`b756ff2f : 00000000`00000000 ffffe001`7a6831a0 00000000`00000000 ffffcf80`4745afb0 : nt!MmAccessFault+0x769
ffffd001`7a1ee860 fffff801`75093e87 : ffffe001`7a6831a0 ffffd001`7a1eea20 ffffcf80`48452f40 fffff802`b7aa0fec : nt!KiPageFault+0x12f
ffffd001`7a1ee9f0 fffff801`75096bdf : ffffcf80`48452f40 ffffc000`04376000 ffffc000`0812a000 00000000`00000000 : fsni64+0x5e87
ffffd001`7a1eea50 fffff801`75096b18 : ffffe001`7a6831a0 00000000`00000000 fffff801`75096af0 fffff802`b74c5c59 : fsni64+0x8bdf
ffffd001`7a1eeab0 fffff802`b74c23ac : ffffcf80`4eb28fb0 ffffe001`7c329a00 00000000`00000000 fffff801`72a4d710 : fsni64+0x8b18
ffffd001`7a1eeae0 fffff802`b74c26bc : fffff802`b7487300 fffff802`b74c232c ffffcf80`4eb28fb0 00000000`00000000 : nt!IopProcessWorkItem+0x80
ffffd001`7a1eeb50 fffff802`b751536c : ffffe001`7bf7f6d0 ffffe001`853dd880 00000000`00000080 ffffe001`853dd880 : nt!ExpWorkerThread+0x28c
ffffd001`7a1eec00 fffff802`b756c2c6 : ffffd001`72556180 ffffe001`853dd880 ffffd001`725623c0 fffff802`b74d61e8 : nt!PspSystemThreadStartup+0x58
ffffd001`7a1eec60 00000000`00000000 : ffffd001`7a1ef000 ffffd001`7a1e9000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16




STACK_COMMAND:  kb


FOLLOWUP_IP: 
fsni64+5e87
fffff801`75093e87 8b4f4c          mov     ecx,dword ptr [rdi+4Ch]


SYMBOL_STACK_INDEX:  4


SYMBOL_NAME:  fsni64+5e87


FOLLOWUP_NAME:  MachineOwner


IMAGE_VERSION:  1.68.105.0


FAILURE_BUCKET_ID:  0xD5_VRF_fsni64+5e87


BUCKET_ID:  0xD5_VRF_fsni64+5e87


ANALYSIS_SOURCE:  KM


FAILURE_ID_HASH_STRING:  km:0xd5_vrf_fsni64+5e87


FAILURE_ID_HASH:  {cb50f9b0-f5fb-f26e-0397-325e55b9cca3}


Followup: MachineOwner
---------

 

[Patrick]

What do I win?

Anyway, yeah, F-Secure's kernel network intercept driver is referencing memory after it has already been freed. This is a big no-no.

Remove F-Secure, or attempt to contact their customer support. If you want, I could also shoot a DM on Twitter to their CRO and see if he's aware of it being a bug or a standalone issue on your end.