Code:
0: kd> .bugcheck
Bugcheck code 000000C2
Arguments 00000000`00000007 00000000`00001200 00000000`0024ab86 ffffe000`d095b618
Code:
0: kd> !thread
GetPointerFromAddress: unable to read from fffff801a0df0000
THREAD ffffe000c7954880 Cid 0004.00f8 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
GetUlongFromAddress: unable to read from fffff801a0d3cb00
Owning Process ffffe000c5b938c0 Image: System
Attached Process N/A Image: N/A
fffff78000000000: Unable to get shared data
Wait Start TickCount 138277
Context Switch Count 174955 IdealProcessor: 0
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ndis!ndisReceiveWorkerThread (0xfffff801bde99da0)
Stack Init ffffd001f2a29c90 Current ffffd001f2a29840
Base ffffd001f2a2a000 Limit ffffd001f2a24000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
ffffd001`f2a28f38 fffff801`a0d31ff2 : 00000000`000000c2 00000000`00000007 00000000`00001200 00000000`0024ab86 : nt!KeBugCheckEx
ffffd001`f2a28f40 fffff801`be75c91f : 00000000`00000000 ffffe000`c6b55870 ffffe000`00000582 00000000`00000024 : nt!ExAllocatePoolWithTag+0x1102
ffffd001`f2a29030 fffff801`beaad6bd : ffffe000`c7401a30 ffffe000`c6ea1df0 00000000`00000000 fffff801`bdea76e9 : NETIO!NetioFreeMdl+0x20d7f [COLOR=#008000]// NETwbw02 calling Network I/O Subsystem to free MDL.[/COLOR]
ffffd001`f2a29080 fffff801`be72e8c1 : ffffe000`c6ea1df0 00000000`00000001 fffff801`be7477b0 00000000`00000000 : fwpkclnt!FwppInjectComplete+0x59
ffffd001`f2a290c0 fffff801`be72e402 : 00000000`00000000 ffffe000`c6ea1df0 ffffd001`f2a29260 fffff801`bf494600 : NETIO!NetioDereferenceNetBufferList+0xc1
ffffd001`f2a29140 fffff801`be8863e7 : fffff801`bde98980 00000000`00000001 00000000`00000000 00000000`00000000 : NETIO!NetioDereferenceNetBufferListChain+0x2e2
ffffd001`f2a291e0 fffff801`bde92690 : 00000000`00000001 ffffd001`f2a29279 ffffe000`cbcdc1a0 fffff801`bfab4ff6 : tcpip!FlSendNetBufferListChainComplete+0x57
ffffd001`f2a29210 fffff801`bde91f01 : ffffe000`cbcdc1a0 ffffe000`c6b55870 fffff801`00000001 00000000`00000001 : ndis!ndisMSendCompleteNetBufferListsInternal+0x140
ffffd001`f2a292e0 fffff801`c10c2d1f : ffffe000`cbcdc1a0 ffffe000`d152e320 ffffe000`d152e320 00000000`00000000 : ndis!NdisMSendNetBufferListsComplete+0x4f1
ffffd001`f2a29450 ffffe000`cbcdc1a0 : ffffe000`d152e320 ffffe000`d152e320 00000000`00000000 ffffe000`cc2ed010 : NETwbw02+0x1dfd1f
ffffd001`f2a29458 ffffe000`d152e320 : ffffe000`d152e320 00000000`00000000 ffffe000`cc2ed010 fffff801`c0f033b5 : 0xffffe000`cbcdc1a0
ffffd001`f2a29460 ffffe000`d152e320 : 00000000`00000000 ffffe000`cc2ed010 fffff801`c0f033b5 ffffe000`cc35df28 : 0xffffe000`d152e320
ffffd001`f2a29468 00000000`00000000 : ffffe000`cc2ed010 fffff801`c0f033b5 ffffe000`cc35df28 fffff801`c0f02e5b : 0xffffe000`d152e320
Intel® Wireless WiFi Link driver attempted to free an MDL when pool had previously already been freed, therefore we bug checked.
Code:
0: kd> !pool ffffe000d095b618
Pool page ffffe000d095b618 region is Unknown
ffffe000d095b000 size: 150 previous size: 0 (Allocated) File
ffffe000d095b150 size: 20 previous size: 150 (Allocated) ViMm
ffffe000d095b170 size: 50 previous size: 20 (Allocated) CcVp
ffffe000d095b1c0 size: a0 previous size: 50 (Allocated) Muta
ffffe000d095b260 size: 80 previous size: a0 (Free ) Io Process: fd0622582baeb276
ffffe000d095b2e0 size: 150 previous size: 80 (Allocated) File
ffffe000d095b430 size: 10 previous size: 150 (Free) Free
ffffe000d095b440 size: 80 previous size: 10 (Allocated) Even
ffffe000d095b4c0 size: 90 previous size: 80 (Allocated) Vad
ffffe000d095b550 size: c0 previous size: 90 (Allocated) Mmdl
*ffffe000d095b610 size: 60 previous size: c0 (Allocated) *NDnd
Pooltag NDnd : NDIS_TAG_POOL_NDIS, Binary : ndis.sys [COLOR=#008000]// We can see NDIS involved, of course.[/COLOR]
ffffe000d095b670 size: 70 previous size: 60 (Allocated) WfpM
ffffe000d095b6e0 size: e0 previous size: 70 (Allocated) EtwR
ffffe000d095b7c0 size: 80 previous size: e0 (Allocated) Even
ffffe000d095b840 size: 70 previous size: 80 (Free) WfpM
ffffe000d095b8b0 size: 120 previous size: 70 (Allocated) FMsl
ffffe000d095b9d0 size: 90 previous size: 120 (Allocated) Vad
ffffe000d095ba60 size: 150 previous size: 90 (Allocated) File
ffffe000d095bbb0 size: 10 previous size: 150 (Free) Free
ffffe000d095bbc0 size: 80 previous size: 10 (Allocated) Even
ffffe000d095bc40 size: 150 previous size: 80 (Allocated) File
ffffe000d095bd90 size: 50 previous size: 150 (Allocated) ViMm
ffffe000d095bde0 size: d0 previous size: 50 (Allocated) WSKs
ffffe000d095beb0 size: 150 previous size: d0 (Allocated) File
Code:
0: kd> lmvm NETwbw02
start end module name
fffff801`c0ee3000 fffff801`c126e000 NETwbw02 T (no symbols)
Loaded symbol image file: NETwbw02.sys
Image path: \SystemRoot\system32\DRIVERS\NETwbw02.sys
Image name: NETwbw02.sys
Timestamp: Mon Oct 14 07:10:01 2013 (525BD109)
CheckSum: 003727B2
ImageSize: 0038B000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Update the driver, it's 2 years old. If you bug check after updating it, I see a potential problem. Enable verifier + we'll need a kernel-dump to be sure. Kernel-dumps are in C:\Windows and named
MEMORY.DMP and must be uploaded 3rd party, paste link here afterwards.
Driver Verifier:
What is Driver Verifier?
Driver Verifier monitors Windows kernel-mode drivers, graphics drivers, and even 3rd party drivers to detect illegal function calls or actions that might corrupt the system. Driver Verifier can subject the Windows drivers to a variety of stresses and tests to find improper behavior.
Essentially, if there's a 3rd party driver believed to be causing the issues at hand, enabling Driver Verifier will help us see which specific driver is causing the problem.
Before enabling Driver Verifier, it is recommended to create a System Restore Point:
Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8/8.1 -
Restore Point - Create in Windows 8
How to enable Driver Verifier:
Start > type "verifier" without the quotes > Select the following options -
1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (only on Windows 7 & 8/8.1)
- DDI compliance checking (only on Windows 8/8.1)
- Miscellaneous Checks
4. Select - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is
NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.
Important information regarding Driver Verifier:
- Perhaps the most important which I will now clarify as this has been misunderstood often, enabling Driver Verifier by itself is
not! a solution, but instead a diagnostic utility. It will tell us if a driver is causing your issues, but again it will not outright solve your issues.
- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled per my instructions above, it is monitoring
all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.
- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.
If this happens, do not panic, do the following:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > Search > type "cmd" without the quotes.
- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
- Restart and boot into normal Windows.
If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > type "system restore" without the quotes.
- Choose the restore point you created earlier.
-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods:
5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1
How long should I keep Driver Verifier enabled for?
I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.
My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?
- If you have the system set to generate Small Memory Dumps, they will be located in
%systemroot%\Minidump.
- If you have the system set to generate Kernel Memory Dumps,
it will be located in
%systemroot% and labeled MEMORY.DMP.
Any other questions can most likely be answered by this article:
Using Driver Verifier to identify issues with Windows drivers for advanced users