Tpm.sys, what causes the this BSoD?

[181951]

DMP FILE.

I never understand, is it a security problem? or a hardware problem? Or a driver problem? What do we associate it with?

 

[ubuysa]

Is this a 'for interest' question or are you having a genuine problem? If the latter then please follow the BSOD posting instructions so we get all the relevant data.

• Under what circumstances does this BSOD happen? For example, is it at boot or during some particular set of circumstances?
• Does it BSOD in Safe Mode?
• Can you isolate a driver(s) via a selective Clean Boot?
• Do you have a real TPM or a BIOS emulated TPM?

We can see that the page fault happens apparently because the R15 register is zero (given the effective address)...

TRAP_FRAME:  fffff309d2dbd720 -- (.trap 0xfffff309d2dbd720)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=ffffe28245a65110 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80725503beb rsp=fffff309d2dbd8b0 rbp=fffff309d2dbd930
 r8=000000000000003b  r9=ffffd2828b5ddb20 r10=fffff807255450a0
r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
tpm!Tpm20ResourceMgr::SubmitRequest+0x22b:
fffff807`25503beb 410fb64f37      movzx   ecx,byte ptr [r15+37h] ds:00000000`00000037=??
Resetting default scope

The question then becomes 'why is R15 zero?'..

One question I'd have is what driver is that WDF function call managing and is that driver the source of the invalid pointer in R15...?

10: kd> !dpx
Start memory scan  : 0xfffff309d2dbd4f8 ($csp)
End memory scan    : 0xfffff309d2dbe000 (Kernel Stack Base)

0xfffff309d2dbd5f8 : 0xfffff80720a6211c : nt!MmAccessFault+0x29c
0xfffff309d2dbd6c8 : 0xfffff80720a79220 : nt!KiSetPriorityThread+0x800
0xfffff309d2dbd718 : 0xfffff80720c27929 : nt!KiPageFault+0x369
0xfffff309d2dbd720 : 0xffff868005f7b180 :  Trap @ fffff309d2dbd720
0xfffff309d2dbd778 : 0xfffff807255450a0 : tpm!WPP_GLOBAL_Control
0xfffff309d2dbd850 : 0xfffff8072550f090 : tpm!Tpm20Info::CommandInfoComparer
0xfffff309d2dbd858 : 0xfffff80720bd5def : nt!bsearch+0x8f
0xfffff309d2dbd888 : 0xfffff80725503beb : tpm!Tpm20ResourceMgr::SubmitRequest+0x22b
0xfffff309d2dbd8d0 : 0xfffff8072550f090 : tpm!Tpm20Info::CommandInfoComparer
0xfffff309d2dbd940 : 0xfffff807255450a0 : tpm!WPP_GLOBAL_Control
0xfffff309d2dbd968 : 0xfffff80725503687 : tpm!Tpm20Scheduler::DoUserRequest+0xb7
0xfffff309d2dbd998 : 0xfffff807252413a2 : Wdf01000!FxWaitLockInternal::AcquireLock+0x56
0xfffff309d2dbd9a0 : 0xfffff807255450a0 : tpm!WPP_GLOBAL_Control
0xfffff309d2dbd9c8 : 0xfffff807255450a0 : tpm!WPP_GLOBAL_Control
0xfffff309d2dbda08 : 0xfffff8072550334e : tpm!Tpm20Scheduler::SchedulerThreadFunction+0x19e
0xfffff309d2dbdad8 : 0xfffff80720a78918 : nt!KeSetPriorityThread+0x188
0xfffff309d2dbdb48 : 0xfffff8072550165c : tpm!Tpm20Scheduler::SchedulerThreadWrapper+0x6c
0xfffff309d2dbdb60 : 0xfffff807255015f0 : tpm!Tpm20Scheduler::SchedulerThreadWrapper
0xfffff309d2dbdb78 : 0xfffff80720b89212 : nt!EtwTraceContextSwap+0xb2
0xfffff309d2dbdba8 : 0xfffff80720b07317 : nt!PspSystemThreadStartup+0x57
0xfffff309d2dbdbb8 : 0xfffff807255015f0 : tpm!Tpm20Scheduler::SchedulerThreadWrapper
0xfffff309d2dbdbf8 : 0xfffff80720c1bc54 : nt!KiStartSystemThread+0x34
0xfffff309d2dbdc10 : 0xfffff80720b072c0 : nt!PspSystemThreadStartup

 

[181951]

Hello @ubuysa, I'm not sharing these DMP files for attention, I'm a student and I'm studying software. In my free time from coding, I do debuggin stuff.

The problem I'm having with the DMP file in question is that when the system enters the valorant, every now and then I get this BSoD.

I have already found the solution. I turned off the memory integrity setting and this problem disappeared.

Actually I'm not interested in the solution, I can't find almost any information about tpm.sys on the internet, so I feel the need to ask people with more experience than me. Honestly, I don't think there is anyone around me who is an expert in this kind of work. Sysnative fits exactly for this purpose, but I think I've opened too many topics lately I might have a bad image.

Please don't misunderstand, I don't own the systems from which I collected the BSoD files. So most of the time I have nothing but the DMP file.

It's good that you pointed out the solution. I also checked it with the dpx command, but to no avail.

Why does the tpm.sys module show up as the cause of the blue screen? Do the calls in the stack section give us anything? What exactly is the reason? That's what I'm really curious about.

Thank's for all.

 

[ubuysa]

I'm uncomfortable commenting on a dump that's not for a system that you own. If you suspect that it's Valorant causing the BSOD then, since this is Windows 11, this is probably a code integrity issue with vgk.sys and that's where the TPM is involved.

 

[181951]

I'm uncomfortable commenting on a dump that's not for a system that you own. If you suspect that it's Valorant causing the BSOD then, since this is Windows 11, this is probably a code integrity issue with vgk.sys and that's where the TPM is involved.

FILE 2. The analysis is correct, scanning the system with driver verifier revealed that the problem is vanguard based. The file is in the beginning if you want to take a look. Thanks for everything,Can be marked as resolved.

 

[ubuysa]

What was the point of this thread then? You've learned nothing, I've wasted my valuable time, and someone else who was waiting to be helped wasn't. I won't be responding to posts like this from you again.