[SOLVED] Repeated BSOD 0x000000d1 on Windows 10?

[LRSFC_Danj]

• The user has experienced repeated BSODs, all 0x000000d1, analysis of the latest memory dump using WinDbg appears to implicate NETIO.SYS so it seems network driver / network interface related in some way?
• Dell
• Laptop
• Dell Latitude 3510
• Windows 10 Enterprise 22H2 64-bit
• Volume licensed
• 3 years old
• Intel(R) Core(TM) i3-10110U CPU @ 2.10GHz
• Micron 8ATF1G64HZ-3G2J1 8GB 3200MHz SODIMM
• Intel(R) UHD Graphics
• Driver verifier not enabled
• Sophos Intercept X with XDR
• Cisco AnyConnect VPN (but the incident happened when the VPN was not active / not in use)
• No disk image tools
• No overclocking software

Can anyone suggest what might be causing this repeated BSOD?

Sysnative BSOD collector results zip file attached.

 

[ubuysa]

Welcome!

The dumps are all similar and all fail during an http network access. There are three third-party drivers on the call stacks (almost all BSODs are third-party driver related), these are:

• SophosED.sys, a component of Sophos Security. Third-party security products often cause BSODs but I think there is another driver responsible here, although this driver is dated November 2022 and is thus six months old.
• acsock64.sys, a component of the CISCO AnyConnect VPN service. VPNs do sometimes cause BSODs but I don't think this is the problem here, especially as the driver is dated February 2023.
• NSWebFilterDriver.sys, a component of a NetSupport IT management tool with which I'm not familiar. The page fault bugcheck occurs immediately after a call to this driver, which is very old, dating from August 2017. I rather think that this is the cause of the bugchecks.

A sample of a call stack is here...

ffff8181`370d66b0  00000000`00000000
ffff8181`370d66b8  fffff800`7940b8e3 nt!KiPageFault+0x463
ffff8181`370d66c0  00000000`00000000
ffff8181`370d66c8  fffff800`9cea3210Unable to load image \SystemRoot\system32\DRIVERS\NSWebFilterDriver.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for NSWebFilterDriver.sys
 NSWebFilterDriver+0x13210
ffff8181`370d66d0  00000000`00000000
ffff8181`370d66d8  ffff898b`7e05b0e0
ffff8181`370d66e0  fffff800`8f770aa8Unable to load image \SystemRoot\system32\DRIVERS\acsock64.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for acsock64.sys
 acsock64+0x40aa8
ffff8181`370d66e8  00001f80`01000138
ffff8181`370d66f0  00000000`00001001
ffff8181`370d66f8  ffff898b`764dfa00

<snip, snip>

ffff8181`370d6980  00000001`00000100
ffff8181`370d6988  fffff800`7bc7decfUnable to load image \SystemRoot\system32\DRIVERS\SophosED.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SophosED.sys
 SophosED+0x9decf
ffff8181`370d6990  ffff8181`370d68b0
ffff8181`370d6998  00000000`00000000
ffff8181`370d69a0  00000000`00000000

I would suggest that the user contact NetSupport's support team and ask about an updated driver, or reconsider their use of the product.

 

[x BlueRobot]

I agree with @ubuysa, the issue does appear most likely related to NSWebFilterDriver.sys. If you could provide a kernel memory dump from %systemroot%\MEMORY.DMP and then upload it to a cloud storage service like WeTransfer, OneDrive or Google Drive then we might be able to gather information to confirm this is the case if needs be. I assume that this might be work related software? I can see that you're running an Enterprise edition of Windows.

 

[LRSFC_Danj]

I agree with @ubuysa, the issue does appear most likely related to NSWebFilterDriver.sys. If you could provide a kernel memory dump from %systemroot%\MEMORY.DMP and then upload it to a cloud storage service like WeTransfer, OneDrive or Google Drive then we might be able to gather information to confirm this is the case if needs be. I assume that this might be work related software? I can see that you're running an Enterprise edition of Windows.

Yep, this is work related. I work in the IT Services Dept, but while we did a bunch of Googling we really could not find much on STOP 0xd1 errors. In this case, the involved software is likely the NetSupport DNA agent, our (soon-to-be-former) safeguarding software (we're changing vendors in the summer). When I get back in to work on Monday I'll try uninstalling it and check that this stops the bluescreens.

Thanks both of you for looking at this.

 

[x BlueRobot]

No problem, please let us know how it goes.

 

[LRSFC_Danj]

No problem, please let us know how it goes.

It does look as if this was the issue, we have replaced NetSupport DNA with the Senso.cloud client on every laptop where this happened and the 0xd1 blue screens have not reoccurred.

Thanks very much for your help.

Just out of interest, is there a guide anywhere to how you were able to identify the culprit? As it seems like something I ought to learn how to do myself.

 

[x BlueRobot]

Just out of interest, is there a guide anywhere to how you were able to identify the culprit? As it seems like something I ought to learn how to do myself.

I'm glad you managed to get your issue resolved. We have plenty of examples in our BSOD Tutorial Index: Bugcheck Tutorial Index

Here's a very similar problem to yours: Debugging Stop 0xD1 – Looking at Network Filter Callouts

Machines Can Think is my own site and most of the recent posts mirror what is on Sysnative.