Jump to content

tcpip.sys BSOD Insider 14965


Recommended Posts

Thank you for the uploaded memory dump file - it is very interesting!

This memory dump dates from 23 Dec 2016 (running Insider Build 14986).  It blames NETIO.sys as the cause, but mwac.sys (a MalwareBytes driver) is present in the stack text before the crash.
As such, it's likely that it is involved with the crash.  For further info, I'd suggest running Driver Verifier (using the "Create standard settings", then the "Automatically select all drivers installed on this computer").  When/if the system crashes with this, please upload the MEMORY.dmp file so we can run an analysis on that.  Please be aware that selecting all of the drivers may slow the system down (but the up side here is that it shouldn't take long for the system to crash with it).

If you note below, the entry for cldflt.sys is a bit different than the other drivers.
A Google search shows problems with it:  https://www.google.com/search?q=cldflt.sys&ie=utf-8&oe=utf-8

This driver is named the Cloud Files MiniFilter driver on my 14986 system.
Just FYI - my test system just BSOD'd on my while I was looking at that file :(
Currently running that memory dump..........
Mine shows a STOP 0x139 in ntoskrnl.exe - no sign of cldflt.sys in the stack text, but it is in the drivers output.
Just FYI - I do not have MalwareBytes installed on this test system.
 

The farflt.sys driver appears to be a part of the MalwareBytes AntiRansomware SDK
I tend not to believe in coincidences - so I wonder if the similarity in naming (cldflt.sys and farflt.sys) is significant.
In short, I wonder if the farflt.sys driver is related to the cloud stuff somehow.

Another interesting driver is the Intel Processor driver (Microsoft signed this one also) - intelppm.sys
It dates from 1972 - What The Heck????
FWIW - the intelppm.sys driver on my test system is dated from 03 Dec 2016 - YET, it shows as 1972 in the minidump on my system

Finally, I've got to wonder why there's a bunch of USB audio stuff in the dump output.
I've seen BSOD issues with USB audio in the past, but it's not a constant problem that I see.

It will be interesting to see the results of Driver Verifier.  Thanks for your continuing help with this matter!

Analysis:
The following is for information purposes only. The following information contains the relevant information from the blue screen analysis:
**************************Fri Dec 23 13:11:13.390 2016 (UTC - 5:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\MEMORY.DMP]
Windows 10 Kernel Version 14986 MP (4 procs) Free x64
Built by: 14986.1000.amd64fre.rs_prerelease.161202-1928
System Uptime:0 days 0:04:17.020
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by :NETIO.SYS ( NETIO!FeCompleteClassify+ad )
BugCheck 3B, {c0000005, fffff805f55318a3, ffffd88005b539c0, 0}
BugCheck Info: SYSTEM_SERVICE_EXCEPTION (3b)
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff805f55318a3, Address of the instruction which caused the bugcheck
Arg3: ffffd88005b539c0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
BUGCHECK_STR:  0x3B
DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
PROCESS_NAME:  MBAMService.exe
FAILURE_BUCKET_ID: OLD_IMAGE_NETIO.SYS
CPUID:        "Intel(R) Core(TM) i5-4690K CPU @ 3.50GHz"
MaxSpeed:     3500
CurrentSpeed: 3500
  BIOS Version                  F7
  BIOS Release Date             04/21/2015
  Manufacturer                  Gigabyte Technology Co., Ltd.
  Product Name                  Z97X-UD3H-BK
  Baseboard Product             Z97X-UD3H-BK-CF
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``


3rd Party Drivers:
The following is for information purposes only. My recommendations were given above. The drivers that follow belong to software or devices that were not developed by Microsoft.  You can find links to the driver information and where to update the drivers in the section after the code box:

**************************Fri Dec 23 13:11:13.390 2016 (UTC - 5:00)**************************
	intelppm.sys                Tue Jun 13 03:21:26 1972 (049B0476)
	mbae64.sys                  Fri Apr 29 06:10:09 2016 (57233301)
	e1d65x64.sys                Tue Jul 26 12:48:21 2016 (57979455)
	mbam.sys                    Wed Sep 28 11:45:44 2016 (57EBE5A8)
	farflt.sys                  Wed Nov  2 10:29:12 2016 (5819F838)
	MBAMSwissArmy.sys           Wed Nov  9 09:21:05 2016 (582330D1)
	mwac.sys                    Thu Nov 17 20:02:05 2016 (582E530D)
	MBAMChameleon.sys           Sat Nov 19 14:13:08 2016 (5830A444)
	FocusriteUSBAudio.sys       Wed Nov 30 11:50:23 2016 (583F034F)
	FocusriteUSBSwRoot.sys      Wed Nov 30 11:50:35 2016 (583F035B)
	FocusriteUSB.sys            Wed Nov 30 11:50:41 2016 (583F0361)
	cldflt.sys                  ***** Invalid 1996 Invalid 1996 Invalid


http://www.carrona.org/drivers/driver.php?id=intelppm.sys
http://www.carrona.org/drivers/driver.php?id=mbae64.sys
http://www.carrona.org/drivers/driver.php?id=e1d65x64.sys
http://www.carrona.org/drivers/driver.php?id=mbam.sys
farflt.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=MBAMSwissArmy.sys
http://www.carrona.org/drivers/driver.php?id=mwac.sys
http://www.carrona.org/drivers/driver.php?id=MBAMChameleon.sys
FocusriteUSBAudio.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
FocusriteUSBSwRoot.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
FocusriteUSB.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
cldflt.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.

 


 

 

 


 

Edited by usasma
Link to post
Share on other sites

So the driver verifier caused my computer to throw DRIVER_VERIFIER_DETECTED_VIOLATION (bsod), never got to my desktop. A quick research and it points to ndisrfl.sys which is Intel(R) Technology Access Filter Driver  ?!?! waah this stuff is so deep!

Went and turned on safeboot and disabled the verifier, here's a full memory dump and one from the minidump folder: https://drive.google.com/file/d/0B-UGaCd9HSqgTm9fdFNqUTZWYVU/view?usp=sharing

Link to post
Share on other sites

IMO, it's more likely that this driver interfaces with the ME (Management Engine) functionality.  As it has ndis in the driver name, I would expect that there is some network functionality in the driver (and some posts on the web suggest that it can break your ethernet connectivity if it doesn't install properly.

That being said, here's some articles that seem to discuss it:
https://forums.lenovo.com/t5/Pre-Installed-Lenovo-Software/Intel-Technology-Access-Driver-T450s-Microsoft-DirectAccess/m-p/2080891#M27120
https://downloadcenter.intel.com/download/24415
https://downloadcenter.intel.com/product/85628/Intel-Technology-Access

The second and third links have a yellow bar across the page that states that Intel is no longer providing support for this product.
As the first article suggests uninstalling it, I'd suggest uninstalling it on your system and see what happens (make a system restore point beforehand - just in case)

Just FYI - there are also some posts on the web that suggest it's necessary for a touchscreen to work.

I ran both of the dumps.  The full dump blames ndisrfl.sys, while the minidump blames memory corruption.
Another interesting result in this hunt!

Unfortunately, I can't find any of the other reports that I requested, so I can't offer a firm opinion on this.
I suggest uninstalling the Intel Technology Access software from your system and seeing if that helps.
 

Analysis:
The following is for information purposes only. The following information contains the relevant information from the blue screen analysis:
**************************Sun Dec 25 08:48:01.594 2016 (UTC - 5:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\MEMORY.DMP]
Windows 10 Kernel Version 14986 MP (4 procs) Free x64
Built by: 14986.1000.amd64fre.rs_prerelease.161202-1928
System Uptime:0 days 0:00:03.287
*** ERROR: Module load completed but symbols could not be loaded for ndisrfl.sys
Probably caused by :ndisrfl.sys
BugCheck C4, {62, ffffbf0d4585bfc0, ffffbf0d4585bd80, 3e8}
BugCheck Info: DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
Arguments:
Arg1: 0000000000000062, A driver has forgotten to free its pool allocations prior to unloading.
Arg2: ffffbf0d4585bfc0, name of the driver having the issue.
Arg3: ffffbf0d4585bd80, verifier internal structure with driver information.
Arg4: 00000000000003e8, total # of (paged+nonpaged) allocations that weren't freed.
    Type !verifier 3 drivername.sys for info on the allocations
    that were leaked that caused the bugcheck.
BUGCHECK_STR:  0xc4_62
PROCESS_NAME:  System
FAILURE_BUCKET_ID: 0xc4_62_VRF_LEAKED_POOL_IMAGE_ndisrfl.sys
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Sun Dec 25 08:48:01.594 2016 (UTC - 5:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\122516-5046-01.dmp]
Windows 10 Kernel Version 14986 MP (4 procs) Free x64
Built by: 14986.1000.amd64fre.rs_prerelease.161202-1928
System Uptime:0 days 0:00:03.287
*** WARNING: Unable to verify timestamp for ndisrfl.sys
*** ERROR: Module load completed but symbols could not be loaded for ndisrfl.sys
Probably caused by :memory_corruption
BugCheck C4, {62, ffffbf0d4585bfc0, ffffbf0d4585bd80, 3e8}
BugCheck Info: DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
Arguments:
Arg1: 0000000000000062, A driver has forgotten to free its pool allocations prior to unloading.
Arg2: ffffbf0d4585bfc0, name of the driver having the issue.
Arg3: ffffbf0d4585bd80, verifier internal structure with driver information.
Arg4: 00000000000003e8, total # of (paged+nonpaged) allocations that weren't freed.
    Type !verifier 3 drivername.sys for info on the allocations
    that were leaked that caused the bugcheck.
BUGCHECK_STR:  0xc4_62
PROCESS_NAME:  System
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BYTE
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``


3rd Party Drivers:
The following is for information purposes only. My recommendations were given above. The drivers that follow belong to software or devices that were not developed by Microsoft.  You can find links to the driver information and where to update the drivers in the section after the code box:

¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Sun Dec 25 08:48:01.594 2016 (UTC - 5:00)**************************
ndisrfl.sys                 Thu Jul  9 13:06:23 2015 (559EAA0F)


[url=http://www.carrona.org/drivers/driver.php?id=ndisrfl.sys]http://www.carrona.org/drivers/driver.php?id=[B][COLOR=BLUE]ndisrfl.sys[/COLOR][/B][/url]

 

Link to post
Share on other sites

I don't know what the hell Intel Technology Access is but I haven't installed it - I know what I put on my computer, or do I - after all I'm running Windows 10... :D

Now I don't know what the hell is going on. Somehow Malwarebytes causes my stuff to break, but without Malwarebytes I never get these weird bsods n stuff. We need some support from a guy knowing Intel software...

Edited by Hawaii_Beach
Link to post
Share on other sites

The Intel Technology Access is sometimes installed by the OEM's
I'm not familiar with it, but the driver is installed on your system - so it's there.

So, let's summarize:
- you're using a "beta" operating system that has known issues
- you're using a product (Intel Technology Access) that's no longer supported by Intel and isn't being updated for the latest versions of Windows
- you're using a product (MalwareBytes) that has known issues with the "beta" operating system
- both MalwareBytes and Microsoft are working at fixing the problems - but I have no clue if they're working together or working independently.  If working independently, it's not unreasonable to assume that each update might cause further problems until they finally settle on the code that they'll use in the final release.
 

Good luck!

Link to post
Share on other sites

Hi Scottahart777!  While this may seem to be the exact same problem as Hawaii_Beach is having, there are many differences between the systems and the Windows installations that aren't readily visible.  If you'd like assistance with your specific issues, please feel free to start your own topic - so that your issues can get the individual attention that they deserve.  Feel free to follow this topic also, as it may provide suggestions that may help you also.

Just FYI - build 14986 is a Fast Ring Windows Insider build - and, as such, it's not likely to be completely stable.  In the past we've seen issues with the builds and MalwareBytes that have been fixed in subsequent builds - only to return again.  What we have here is 2 sets of developers from 2 different companies (Microsoft and MalwareBytes) who are trying to produce a stable product.  The kinks will eventually be worked out, but it may take some time.

Link to post
Share on other sites

  • 3 weeks later...

Same here with 3.05, but also did it with previous 3.0 versions. Using along side Windows Defender, on Preview build 14986. Not using Bittorrent on this machine. It just happens randomly. Tried a different NIC, but the same thing. Currently using an Intel i350-T2 and tried a i9402PT.


 

==================================================
Dump File         : 012217-14953-01.dmp
Crash Time        : 22/01/2017 14:58:31
Bug Check String  : SYSTEM_SERVICE_EXCEPTION
Bug Check Code    : 0x0000003b
Parameter 1       : 00000000`c0000005
Parameter 2       : fffff806`b81318a3
Parameter 3       : ffff8981`2e6a5b00
Parameter 4       : 00000000`00000000
Caused By Driver  : NETIO.SYS
Caused By Address : NETIO.SYS+59b1
File Description  : Network I/O Subsystem
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 10.0.14986.1000 (WinBuild.160101.0800)
Processor         : x64
Crash Address     : ntoskrnl.exe+153240
Stack Address 1   :
Stack Address 2   :
Stack Address 3   :
Computer Name     :
Full Path         : C:\WINDOWS\Minidump\012217-14953-01.dmp
Processors Count  : 12
Major Version     : 15
Minor Version     : 14986
Dump File Size    : 318,624
Dump File Time    : 22/01/2017 15:08:48
==================================================

 

Link to post
Share on other sites

Hi Anach!

If you'd like some individual assistance with the BSOD issues, please start your own topic and include this:
 

Please run this report collecting tool so that we can provide a complete analysis: (from the pinned topic at the top of the forum):  https://forums.malwarebytes.org/topic/170037-blue-screen-of-death-bsod-posting-instructions-windows-10-81-8-7-vista/

FYI - I don't often use the Perfmon report, so if it doesn't work please just let me know.
NOTE:  On problem systems it can take up to 20 minutes for the log files to complete.  Please be patient and let it run.

If you still have problems with it running, there's an alternate tool here (direct download link):  https://github.com/blueelvis/BSOD-Inspector/releases/download/1.0.5/BSODInspector-1.0.5.exe

NOTE:
Please zip up the (.ZIP) files - do not use .RAR, .7z or other compression utilities.
.ZIP is the type file that can be uploaded to the forums.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.