Debugging Analysis:
Code:
BugCheck D1, {fffffa80096cd003, 2, 0, fffffa80088064cf}
Probably caused by : ntkrnlmp.exe ( nt!KiPageFault+260 )
The problem seems to have happened as a result of a invalid page fault, a driver has referenced a non-paged pool address (
fffffa80096cd003). Page faults will not be serviced at IRQL Level 2.
Code:
FAULTING_IP:
+0
fffffa80`088064cf 0fb602 movzx eax,byte ptr [rdx]
According to the Intel Developer Manual, this instruction causes a exception if a page fault occurs (Page 1032).
Code:
0: kd> r @rdx
rdx=fffffa80096cd003
Code:
0: kd> r @eax
eax=89ed870
Code:
fffff880089ed8b0 -- (.trap 0xfffff880089ed8b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000000052d rbx=0000000000000000 rcx=0000000000000519
rdx=fffffa80096cd003 rsi=0000000000000000 rdi=0000000000000000
rip=fffffa80088064cf rsp=fffff880089eda40 rbp=fffffa80096ccac6
r8=0000000000000002 r9=0000000000001300 r10=0000000000000531
r11=fffffa80096ccaee r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po cy
fffffa80`088064cf 0fb602 movzx eax,byte ptr [rdx] ds:fffffa80`096cd003=??
Resetting default scope
The movzx instruction is used to move data from one register to another, with a padding of zeros. The Data Segment also contains the address of the
rax register.
Code:
0: kd> .formats 89ed870
Evaluate expression:
Hex: 00000000`089ed870
Code:
0: kd> lmvm epfw
start end module name
fffff880`06d73000 fffff880`06da4000 epfw (no symbols)
Loaded symbol image file: epfw.sys
Image path: \SystemRoot\system32\DRIVERS\epfw.sys
Image name: epfw.sys
Timestamp: Tue Jun 28 08:30:10 2011 (4E098302)
CheckSum: 0003466B
ImageSize: 00031000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
This driver is related to ESET, please remove the program with the
ESET Removal Tool, or find a updated version of the program.
Code:
0: kd> lmvm EpfwLWF
start end module name
fffff880`0435a000 fffff880`04367000 EpfwLWF (no symbols)
Loaded symbol image file: EpfwLWF.sys
Image path: \SystemRoot\system32\DRIVERS\EpfwLWF.sys
Image name: EpfwLWF.sys
Timestamp: Mon Jul 11 17:19:38 2011 (4E1B229A)
CheckSum: 0000BEB6
ImageSize: 0000D000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
This is related to ESET ESS/NOD32, the same principle applies as above with the other driver.
The VPN program was also running at the time of the crash too, have you tried it with Microsoft Security Essentials?