[SOLVED] What is inpoutx64.sys and what is its fundamental relationship to vanguard?

181951

181951

Active member
Joined
Aug 27, 2023
Posts
36
Code: 
Unloaded modules:
fffff802`f0060000 fffff802`f0073000   MSKSSRV.sys
fffff802`71e30000 fffff802`7330c000   vgk.sys
fffff802`f0090000 fffff802`f009d000   MSPCLOCK.sys
fffff802`f0080000 fffff802`f008d000   MSPCLOCK.sys
fffff802`f0040000 fffff802`f0053000   MSKSSRV.sys
fffff802`f0030000 fffff802`f003d000   MSPCLOCK.sys
fffff802`f0010000 fffff802`f0023000   MSKSSRV.sys
fffff802`effc0000 fffff802`effd3000   MSKSSRV.sys
fffff802`effa0000 fffff802`effb3000   MSKSSRV.sys
fffff802`eff80000 fffff802`eff93000   MSKSSRV.sys
fffff802`eff60000 fffff802`eff73000   MSKSSRV.sys
fffff802`eff40000 fffff802`eff53000   MSKSSRV.sys
fffff802`efd60000 fffff802`efd6d000   MSPCLOCK.sys
fffff802`efd40000 fffff802`efd53000   MSKSSRV.sys
fffff802`efb90000 fffff802`efba3000   MSKSSRV.sys
fffff802`efb60000 fffff802`efb68000   inpoutx64.sy
fffff802`efb50000 fffff802`efb58000   inpoutx64.sy
fffff802`efb40000 fffff802`efb48000   inpoutx64.sy
fffff802`efb30000 fffff802`efb38000   inpoutx64.sy
fffff802`efb20000 fffff802`efb28000   inpoutx64.sy
fffff802`efb10000 fffff802`efb18000   inpoutx64.sy
fffff802`efb00000 fffff802`efb08000   inpoutx64.sy
fffff802`efaf0000 fffff802`efaf8000   inpoutx64.sy
fffff802`6c270000 fffff802`6c283000   MSKSSRV.sys
fffff802`efac0000 fffff802`efac8000   inpoutx64.sy
fffff802`efab0000 fffff802`efab8000   inpoutx64.sy
fffff802`efaa0000 fffff802`efaa8000   inpoutx64.sy
fffff802`efa90000 fffff802`efa98000   inpoutx64.sy
fffff802`efa80000 fffff802`efa88000   inpoutx64.sy
fffff802`efa70000 fffff802`efa78000   inpoutx64.sy
fffff802`efa60000 fffff802`efa68000   inpoutx64.sy
fffff802`efa50000 fffff802`efa58000   inpoutx64.sy
fffff802`ef540000 fffff802`ef548000   inpoutx64.sy
fffff802`d3e00000 fffff802`d4071000   vmswitch.sys
fffff802`6c200000 fffff802`6c210000   dump_storpor
fffff802`6c240000 fffff802`6c270000   dump_stornvm
fffff802`6c290000 fffff802`6c2ae000   dump_dumpfve
fffff802`55a20000 fffff802`55a2c000   WdmCompanion
fffff802`71c90000 fffff802`71cac000   dam.sys
fffff802`71810000 fffff802`7198e000   vfpext.sys
fffff802`57e50000 fffff802`57e63000   WdBoot.sys
fffff802`59ac0000 fffff802`59ad1000   hwpolicy.sys
fffff802`51950000 fffff802`51be0000   mcupdate.dll

I have a file like this and this sys file is probably the cause. I couldn't get anything clear from the stack part or other parts. Can anyone give me an idea about what the .sys file is? Thank you.


012524-16437-01.dmp - Here's the dump file, in case anyone wants to look at it.
 
hountybunter said:
Can anyone give me an idea about what the .sys file is?
Click to expand...
According to the DRT, it's some third-party driver which provides wrapper functions for port I/O, it'll be a driver which likely used by many different applications. Most likely used by some fan speed or hardware monitoring program.

hountybunter said:
I have a file like this and this sys file is probably the cause.
Click to expand...
How do you know that? From the dump file you've provided, I don't see any evidence to suggest that is the case.

hountybunter said:
I couldn't get anything clear from the stack part or other parts.
Click to expand...
Rich (BB code): 
ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc)
An attempt was made to execute non-executable memory.  The guilty driver
is on the stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffe78a99f28cd0, Virtual address for the attempted execute.
Arg2: 8a0000018c8009e3, PTE contents.
Arg3: ffff950abd22e550, (reserved) << Trap frame address which you can use with .trap
Arg4: 0000000000000003, (reserved)

The system crashes because something has attempted to execute some code inside of an non-executable page.

Rich (BB code): 
1: kd> !pte ffffe78a99f28cd0
                                           VA ffffe78a99f28cd0
PXE at FFFFCCE673399E78    PPE at FFFFCCE6733CF150    PDE at FFFFCCE679E2A678    PTE at FFFFCCF3C54CF940
contains 0A000000056CF863  contains 0A000000053D2863  contains 8A0000018C8009E3  contains 0000000000000000
pfn 56cf      ---DA--KWEV  pfn 53d2      ---DA--KWEV  pfn 18c800    -GLDA--KW-V  LARGE PAGE pfn 18c928

Large pages don't have PTEs associated with them so you'll need to check the PDE instead. Notice how the executable bit is clear? This is why the page fault gets raised which then does the NX fault check and crashes the system.

The PTE contents in the second parameter is a bitfield which is already parsed for you by !pte.

Rich (BB code): 
1: kd> !load pde; !dpx
=========================================================================================
 PDE v11.3 - Copyright 2017 Andrew Richards
=========================================================================================
Start memory scan  : 0xffff950abd22e318 ($csp)
End memory scan    : 0xffff950abd230000 (Kernel Stack Base)

                r9 : 0xffff950abd22e550 : 0xfffff80257ae129b : WppRecorder!WppAutoLogTrace+0x16b
               r11 : 0xffff950abd22e548 : 0xfffff80254a0c8d8 : nt!KiPageFault+0x358
0xffff950abd22e338 : 0xffff950abd22e550 : 0xfffff80257ae129b : WppRecorder!WppAutoLogTrace+0x16b
0xffff950abd22e350 : 0xffff950abd22e550 : 0xfffff80257ae129b : WppRecorder!WppAutoLogTrace+0x16b
0xffff950abd22e398 : 0xffff950abd22e550 : 0xfffff80257ae129b : WppRecorder!WppAutoLogTrace+0x16b
0xffff950abd22e3a8 : 0xfffff8025483081f : nt!MmAccessFault+0x4ef
0xffff950abd22e480 : 0xffff950abd22e550 : 0xfffff80257ae129b : WppRecorder!WppAutoLogTrace+0x16b
0xffff950abd22e530 : 0xfffff802940a2285 : ucx01000!RootHub_Pdo_EvtInternalDeviceControlIrpPreprocessCallback+0xb5
0xffff950abd22e548 : 0xfffff80254a0c8d8 : nt!KiPageFault+0x358
0xffff950abd22e550 : 0xfffff80257ae129b : WppRecorder!WppAutoLogTrace+0x16b Trap @ ffff950abd22e550
0xffff950abd22e570 : 0xffffe78aa6dab020 :  dt Wdf01000!FxRequestFromLookaside
Unable to load image \SystemRoot\System32\drivers\RzDev_0098.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for RzDev_0098.sys
0xffff950abd22e588 : 0xfffff80256369080 : mouclass!WPP_MAIN_CB
0xffff950abd22e5a8 : 0xfffff80254938a80 : nt!IoReleaseRemoveLockEx
0xffff950abd22e630 : 0xfffff80256369008 : mouclass!WPP_RECORDER_INITIALIZED
0xffff950abd22e640 : 0xfffff80256365073 : mouclass!MouseClassServiceCallback+0x493
*** WARNING: Unable to verify timestamp for win32kbase.sys
0xffff950abd22e698 : 0xffffe78a848fde20 :  dt Wdf01000!FxRequestFromLookaside
0xffff950abd22e6f8 : 0xfffff802940a2285 : ucx01000!RootHub_Pdo_EvtInternalDeviceControlIrpPreprocessCallback+0xb5
0xffff950abd22e718 : 0xffffe78a99f28c60 :  dt Wdf01000!FxSpinLock
Unable to load image \SystemRoot\System32\drivers\RzCommon.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for RzCommon.sys
0xffff950abd22e788 : 0xfffff802579da977 : Wdf01000!FxDevice::DispatchWithLock+0x267

Those two mentioned drivers (RzCommon.sys & RzDev_0098.sys) are most likely going to be Razer mouse drivers.
 
x BlueRobot said:
According to the DRT, it's some third-party driver which provides wrapper functions for port I/O, it'll be a driver which likely used by many different applications. Most likely used by some fan speed or hardware monitoring program.


How do you know that? From the dump file you've provided, I don't see any evidence to suggest that is the case.


Rich (BB code): 
ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc)
An attempt was made to execute non-executable memory.  The guilty driver
is on the stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffe78a99f28cd0, Virtual address for the attempted execute.
Arg2: 8a0000018c8009e3, PTE contents.
Arg3: ffff950abd22e550, (reserved) << Trap frame address which you can use with .trap
Arg4: 0000000000000003, (reserved)

The system crashes because something has attempted to execute some code inside of an non-executable page.

Rich (BB code): 
1: kd> !pte ffffe78a99f28cd0
                                           VA ffffe78a99f28cd0
PXE at FFFFCCE673399E78    PPE at FFFFCCE6733CF150    PDE at FFFFCCE679E2A678    PTE at FFFFCCF3C54CF940
contains 0A000000056CF863  contains 0A000000053D2863  contains 8A0000018C8009E3  contains 0000000000000000
pfn 56cf      ---DA--KWEV  pfn 53d2      ---DA--KWEV  pfn 18c800    -GLDA--KW-V  LARGE PAGE pfn 18c928

Large pages don't have PTEs associated with them so you'll need to check the PDE instead. Notice how the executable bit is clear? This is why the page fault gets raised which then does the NX fault check and crashes the system.

The PTE contents in the second parameter is a bitfield which is already parsed for you by !pte.

Rich (BB code): 
1: kd> !load pde; !dpx
=========================================================================================
 PDE v11.3 - Copyright 2017 Andrew Richards
=========================================================================================
Start memory scan  : 0xffff950abd22e318 ($csp)
End memory scan    : 0xffff950abd230000 (Kernel Stack Base)

                r9 : 0xffff950abd22e550 : 0xfffff80257ae129b : WppRecorder!WppAutoLogTrace+0x16b
               r11 : 0xffff950abd22e548 : 0xfffff80254a0c8d8 : nt!KiPageFault+0x358
0xffff950abd22e338 : 0xffff950abd22e550 : 0xfffff80257ae129b : WppRecorder!WppAutoLogTrace+0x16b
0xffff950abd22e350 : 0xffff950abd22e550 : 0xfffff80257ae129b : WppRecorder!WppAutoLogTrace+0x16b
0xffff950abd22e398 : 0xffff950abd22e550 : 0xfffff80257ae129b : WppRecorder!WppAutoLogTrace+0x16b
0xffff950abd22e3a8 : 0xfffff8025483081f : nt!MmAccessFault+0x4ef
0xffff950abd22e480 : 0xffff950abd22e550 : 0xfffff80257ae129b : WppRecorder!WppAutoLogTrace+0x16b
0xffff950abd22e530 : 0xfffff802940a2285 : ucx01000!RootHub_Pdo_EvtInternalDeviceControlIrpPreprocessCallback+0xb5
0xffff950abd22e548 : 0xfffff80254a0c8d8 : nt!KiPageFault+0x358
0xffff950abd22e550 : 0xfffff80257ae129b : WppRecorder!WppAutoLogTrace+0x16b Trap @ ffff950abd22e550
0xffff950abd22e570 : 0xffffe78aa6dab020 :  dt Wdf01000!FxRequestFromLookaside
Unable to load image \SystemRoot\System32\drivers\RzDev_0098.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for RzDev_0098.sys
0xffff950abd22e588 : 0xfffff80256369080 : mouclass!WPP_MAIN_CB
0xffff950abd22e5a8 : 0xfffff80254938a80 : nt!IoReleaseRemoveLockEx
0xffff950abd22e630 : 0xfffff80256369008 : mouclass!WPP_RECORDER_INITIALIZED
0xffff950abd22e640 : 0xfffff80256365073 : mouclass!MouseClassServiceCallback+0x493
*** WARNING: Unable to verify timestamp for win32kbase.sys
0xffff950abd22e698 : 0xffffe78a848fde20 :  dt Wdf01000!FxRequestFromLookaside
0xffff950abd22e6f8 : 0xfffff802940a2285 : ucx01000!RootHub_Pdo_EvtInternalDeviceControlIrpPreprocessCallback+0xb5
0xffff950abd22e718 : 0xffffe78a99f28c60 :  dt Wdf01000!FxSpinLock
Unable to load image \SystemRoot\System32\drivers\RzCommon.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for RzCommon.sys
0xffff950abd22e788 : 0xfffff802579da977 : Wdf01000!FxDevice::DispatchWithLock+0x267

Those two mentioned drivers (RzCommon.sys & RzDev_0098.sys) are most likely going to be Razer mouse drivers.
Click to expand...
Actually, since I couldn't find anything in the stack, I tried to find the culprit in the .sys file in the topic, but I was wrong. Is PDE a command added with the 3rd software?


Yes, it was, I downloaded it and saw the result for myself. Thank you.

So, what exactly does the inpoutx64.sys module do? can it be associated with any program/application/game?
 
Last edited by a moderator:
hountybunter said:
So, what exactly does the inpoutx64.sys module do?
Click to expand...
It provides a couple IOCTLs in order to allow applications to access hardware via I/O ports. Here's an example of how it being used:

LibreHardwareMonitor/InpOut/inpout32drv.cpp at master · LibreHardwareMonitor/LibreHardwareMonitor

That LibreHardwareMonitor program is used by a fan control application as well.

hountybunter said:
can it be associated with any program/application/game?
Click to expand...
Yes, but you'll most commonly see it being used with hardware monitoring programs.
 
x BlueRobot said:
It provides a couple IOCTLs in order to allow applications to access hardware via I/O ports. Here's an example of how it being used:

LibreHardwareMonitor/InpOut/inpout32drv.cpp at master · LibreHardwareMonitor/LibreHardwareMonitor

That LibreHardwareMonitor program is used by a fan control application as well.


Yes, but you'll most commonly see it being used with hardware monitoring programs.
Click to expand...
Thanks, you have been very helpful. The issue can be marked as resolved.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top