usasma Posted December 24, 2016 ID:1083610 Share Posted December 24, 2016 (edited) Thank you for the uploaded memory dump file - it is very interesting! This memory dump dates from 23 Dec 2016 (running Insider Build 14986). It blames NETIO.sys as the cause, but mwac.sys (a MalwareBytes driver) is present in the stack text before the crash. As such, it's likely that it is involved with the crash. For further info, I'd suggest running Driver Verifier (using the "Create standard settings", then the "Automatically select all drivers installed on this computer"). When/if the system crashes with this, please upload the MEMORY.dmp file so we can run an analysis on that. Please be aware that selecting all of the drivers may slow the system down (but the up side here is that it shouldn't take long for the system to crash with it). If you note below, the entry for cldflt.sys is a bit different than the other drivers. A Google search shows problems with it: https://www.google.com/search?q=cldflt.sys&ie=utf-8&oe=utf-8 This driver is named the Cloud Files MiniFilter driver on my 14986 system. Just FYI - my test system just BSOD'd on my while I was looking at that file Currently running that memory dump.......... Mine shows a STOP 0x139 in ntoskrnl.exe - no sign of cldflt.sys in the stack text, but it is in the drivers output. Just FYI - I do not have MalwareBytes installed on this test system. The farflt.sys driver appears to be a part of the MalwareBytes AntiRansomware SDK I tend not to believe in coincidences - so I wonder if the similarity in naming (cldflt.sys and farflt.sys) is significant. In short, I wonder if the farflt.sys driver is related to the cloud stuff somehow. Another interesting driver is the Intel Processor driver (Microsoft signed this one also) - intelppm.sys It dates from 1972 - What The Heck???? FWIW - the intelppm.sys driver on my test system is dated from 03 Dec 2016 - YET, it shows as 1972 in the minidump on my system Finally, I've got to wonder why there's a bunch of USB audio stuff in the dump output. I've seen BSOD issues with USB audio in the past, but it's not a constant problem that I see. It will be interesting to see the results of Driver Verifier. Thanks for your continuing help with this matter! Analysis:The following is for information purposes only. The following information contains the relevant information from the blue screen analysis: **************************Fri Dec 23 13:11:13.390 2016 (UTC - 5:00)************************** Loading Dump File [C:\Users\john\SysnativeBSODApps\MEMORY.DMP] Windows 10 Kernel Version 14986 MP (4 procs) Free x64 Built by: 14986.1000.amd64fre.rs_prerelease.161202-1928 System Uptime:0 days 0:04:17.020 *** ERROR: Module load completed but symbols could not be loaded for mwac.sys Probably caused by :NETIO.SYS ( NETIO!FeCompleteClassify+ad ) BugCheck 3B, {c0000005, fffff805f55318a3, ffffd88005b539c0, 0} BugCheck Info: SYSTEM_SERVICE_EXCEPTION (3b) Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff805f55318a3, Address of the instruction which caused the bugcheck Arg3: ffffd88005b539c0, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero. BUGCHECK_STR: 0x3B DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT PROCESS_NAME: MBAMService.exe FAILURE_BUCKET_ID: OLD_IMAGE_NETIO.SYS CPUID: "Intel(R) Core(TM) i5-4690K CPU @ 3.50GHz" MaxSpeed: 3500 CurrentSpeed: 3500 BIOS Version F7 BIOS Release Date 04/21/2015 Manufacturer Gigabyte Technology Co., Ltd. Product Name Z97X-UD3H-BK Baseboard Product Z97X-UD3H-BK-CF ¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨`` 3rd Party Drivers:The following is for information purposes only. My recommendations were given above. The drivers that follow belong to software or devices that were not developed by Microsoft. You can find links to the driver information and where to update the drivers in the section after the code box: **************************Fri Dec 23 13:11:13.390 2016 (UTC - 5:00)************************** intelppm.sys Tue Jun 13 03:21:26 1972 (049B0476) mbae64.sys Fri Apr 29 06:10:09 2016 (57233301) e1d65x64.sys Tue Jul 26 12:48:21 2016 (57979455) mbam.sys Wed Sep 28 11:45:44 2016 (57EBE5A8) farflt.sys Wed Nov 2 10:29:12 2016 (5819F838) MBAMSwissArmy.sys Wed Nov 9 09:21:05 2016 (582330D1) mwac.sys Thu Nov 17 20:02:05 2016 (582E530D) MBAMChameleon.sys Sat Nov 19 14:13:08 2016 (5830A444) FocusriteUSBAudio.sys Wed Nov 30 11:50:23 2016 (583F034F) FocusriteUSBSwRoot.sys Wed Nov 30 11:50:35 2016 (583F035B) FocusriteUSB.sys Wed Nov 30 11:50:41 2016 (583F0361) cldflt.sys ***** Invalid 1996 Invalid 1996 Invalid http://www.carrona.org/drivers/driver.php?id=intelppm.syshttp://www.carrona.org/drivers/driver.php?id=mbae64.syshttp://www.carrona.org/drivers/driver.php?id=e1d65x64.syshttp://www.carrona.org/drivers/driver.php?id=mbam.sysfarflt.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.http://www.carrona.org/drivers/driver.php?id=MBAMSwissArmy.syshttp://www.carrona.org/drivers/driver.php?id=mwac.syshttp://www.carrona.org/drivers/driver.php?id=MBAMChameleon.sysFocusriteUSBAudio.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.FocusriteUSBSwRoot.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.FocusriteUSB.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.cldflt.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed. Edited December 24, 2016 by usasma Link to post Share on other sites More sharing options...
Hawaii_Beach Posted December 25, 2016 Author ID:1083813 Share Posted December 25, 2016 So the driver verifier caused my computer to throw DRIVER_VERIFIER_DETECTED_VIOLATION (bsod), never got to my desktop. A quick research and it points to ndisrfl.sys which is Intel(R) Technology Access Filter Driver ?!?! waah this stuff is so deep! Went and turned on safeboot and disabled the verifier, here's a full memory dump and one from the minidump folder: https://drive.google.com/file/d/0B-UGaCd9HSqgTm9fdFNqUTZWYVU/view?usp=sharing Link to post Share on other sites More sharing options...
Hawaii_Beach Posted December 25, 2016 Author ID:1083815 Share Posted December 25, 2016 Some more research and it seems like ndisrfl.sys is the ethernet card driver..? Link to post Share on other sites More sharing options...
usasma Posted December 26, 2016 ID:1084002 Share Posted December 26, 2016 IMO, it's more likely that this driver interfaces with the ME (Management Engine) functionality. As it has ndis in the driver name, I would expect that there is some network functionality in the driver (and some posts on the web suggest that it can break your ethernet connectivity if it doesn't install properly. That being said, here's some articles that seem to discuss it:https://forums.lenovo.com/t5/Pre-Installed-Lenovo-Software/Intel-Technology-Access-Driver-T450s-Microsoft-DirectAccess/m-p/2080891#M27120https://downloadcenter.intel.com/download/24415https://downloadcenter.intel.com/product/85628/Intel-Technology-Access The second and third links have a yellow bar across the page that states that Intel is no longer providing support for this product. As the first article suggests uninstalling it, I'd suggest uninstalling it on your system and see what happens (make a system restore point beforehand - just in case) Just FYI - there are also some posts on the web that suggest it's necessary for a touchscreen to work. I ran both of the dumps. The full dump blames ndisrfl.sys, while the minidump blames memory corruption. Another interesting result in this hunt! Unfortunately, I can't find any of the other reports that I requested, so I can't offer a firm opinion on this. I suggest uninstalling the Intel Technology Access software from your system and seeing if that helps. Analysis:The following is for information purposes only. The following information contains the relevant information from the blue screen analysis: **************************Sun Dec 25 08:48:01.594 2016 (UTC - 5:00)************************** Loading Dump File [C:\Users\john\SysnativeBSODApps\MEMORY.DMP] Windows 10 Kernel Version 14986 MP (4 procs) Free x64 Built by: 14986.1000.amd64fre.rs_prerelease.161202-1928 System Uptime:0 days 0:00:03.287 *** ERROR: Module load completed but symbols could not be loaded for ndisrfl.sys Probably caused by :ndisrfl.sys BugCheck C4, {62, ffffbf0d4585bfc0, ffffbf0d4585bd80, 3e8} BugCheck Info: DRIVER_VERIFIER_DETECTED_VIOLATION (c4) DRIVER_VERIFIER_DETECTED_VIOLATION (c4) Arguments: Arg1: 0000000000000062, A driver has forgotten to free its pool allocations prior to unloading. Arg2: ffffbf0d4585bfc0, name of the driver having the issue. Arg3: ffffbf0d4585bd80, verifier internal structure with driver information. Arg4: 00000000000003e8, total # of (paged+nonpaged) allocations that weren't freed. Type !verifier 3 drivername.sys for info on the allocations that were leaked that caused the bugcheck. BUGCHECK_STR: 0xc4_62 PROCESS_NAME: System FAILURE_BUCKET_ID: 0xc4_62_VRF_LEAKED_POOL_IMAGE_ndisrfl.sys ¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨`` **************************Sun Dec 25 08:48:01.594 2016 (UTC - 5:00)************************** Loading Dump File [C:\Users\john\SysnativeBSODApps\122516-5046-01.dmp] Windows 10 Kernel Version 14986 MP (4 procs) Free x64 Built by: 14986.1000.amd64fre.rs_prerelease.161202-1928 System Uptime:0 days 0:00:03.287 *** WARNING: Unable to verify timestamp for ndisrfl.sys *** ERROR: Module load completed but symbols could not be loaded for ndisrfl.sys Probably caused by :memory_corruption BugCheck C4, {62, ffffbf0d4585bfc0, ffffbf0d4585bd80, 3e8} BugCheck Info: DRIVER_VERIFIER_DETECTED_VIOLATION (c4) DRIVER_VERIFIER_DETECTED_VIOLATION (c4) Arguments: Arg1: 0000000000000062, A driver has forgotten to free its pool allocations prior to unloading. Arg2: ffffbf0d4585bfc0, name of the driver having the issue. Arg3: ffffbf0d4585bd80, verifier internal structure with driver information. Arg4: 00000000000003e8, total # of (paged+nonpaged) allocations that weren't freed. Type !verifier 3 drivername.sys for info on the allocations that were leaked that caused the bugcheck. BUGCHECK_STR: 0xc4_62 PROCESS_NAME: System FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BYTE ¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨`` 3rd Party Drivers:The following is for information purposes only. My recommendations were given above. The drivers that follow belong to software or devices that were not developed by Microsoft. You can find links to the driver information and where to update the drivers in the section after the code box: ¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨`` **************************Sun Dec 25 08:48:01.594 2016 (UTC - 5:00)************************** ndisrfl.sys Thu Jul 9 13:06:23 2015 (559EAA0F) [url=http://www.carrona.org/drivers/driver.php?id=ndisrfl.sys]http://www.carrona.org/drivers/driver.php?id=[B][COLOR=BLUE]ndisrfl.sys[/COLOR][/B][/url] Link to post Share on other sites More sharing options...
Hawaii_Beach Posted December 26, 2016 Author ID:1084174 Share Posted December 26, 2016 (edited) I don't know what the hell Intel Technology Access is but I haven't installed it - I know what I put on my computer, or do I - after all I'm running Windows 10... Now I don't know what the hell is going on. Somehow Malwarebytes causes my stuff to break, but without Malwarebytes I never get these weird bsods n stuff. We need some support from a guy knowing Intel software... Edited December 26, 2016 by Hawaii_Beach Link to post Share on other sites More sharing options...
usasma Posted December 27, 2016 ID:1084264 Share Posted December 27, 2016 The Intel Technology Access is sometimes installed by the OEM's I'm not familiar with it, but the driver is installed on your system - so it's there. So, let's summarize: - you're using a "beta" operating system that has known issues - you're using a product (Intel Technology Access) that's no longer supported by Intel and isn't being updated for the latest versions of Windows - you're using a product (MalwareBytes) that has known issues with the "beta" operating system - both MalwareBytes and Microsoft are working at fixing the problems - but I have no clue if they're working together or working independently. If working independently, it's not unreasonable to assume that each update might cause further problems until they finally settle on the code that they'll use in the final release. Good luck! Link to post Share on other sites More sharing options...
usasma Posted January 1, 2017 ID:1085692 Share Posted January 1, 2017 Hi Scottahart777! While this may seem to be the exact same problem as Hawaii_Beach is having, there are many differences between the systems and the Windows installations that aren't readily visible. If you'd like assistance with your specific issues, please feel free to start your own topic - so that your issues can get the individual attention that they deserve. Feel free to follow this topic also, as it may provide suggestions that may help you also. Just FYI - build 14986 is a Fast Ring Windows Insider build - and, as such, it's not likely to be completely stable. In the past we've seen issues with the builds and MalwareBytes that have been fixed in subsequent builds - only to return again. What we have here is 2 sets of developers from 2 different companies (Microsoft and MalwareBytes) who are trying to produce a stable product. The kinks will eventually be worked out, but it may take some time. Link to post Share on other sites More sharing options...
Anach Posted January 22, 2017 ID:1090297 Share Posted January 22, 2017 Same here with 3.05, but also did it with previous 3.0 versions. Using along side Windows Defender, on Preview build 14986. Not using Bittorrent on this machine. It just happens randomly. Tried a different NIC, but the same thing. Currently using an Intel i350-T2 and tried a i9402PT. ================================================== Dump File : 012217-14953-01.dmp Crash Time : 22/01/2017 14:58:31 Bug Check String : SYSTEM_SERVICE_EXCEPTION Bug Check Code : 0x0000003b Parameter 1 : 00000000`c0000005 Parameter 2 : fffff806`b81318a3 Parameter 3 : ffff8981`2e6a5b00 Parameter 4 : 00000000`00000000 Caused By Driver : NETIO.SYS Caused By Address : NETIO.SYS+59b1 File Description : Network I/O Subsystem Product Name : Microsoft® Windows® Operating System Company : Microsoft Corporation File Version : 10.0.14986.1000 (WinBuild.160101.0800) Processor : x64 Crash Address : ntoskrnl.exe+153240 Stack Address 1 : Stack Address 2 : Stack Address 3 : Computer Name : Full Path : C:\WINDOWS\Minidump\012217-14953-01.dmp Processors Count : 12 Major Version : 15 Minor Version : 14986 Dump File Size : 318,624 Dump File Time : 22/01/2017 15:08:48 ================================================== Link to post Share on other sites More sharing options...
usasma Posted January 23, 2017 ID:1090506 Share Posted January 23, 2017 Hi Anach! If you'd like some individual assistance with the BSOD issues, please start your own topic and include this: Please run this report collecting tool so that we can provide a complete analysis: (from the pinned topic at the top of the forum): https://forums.malwarebytes.org/topic/170037-blue-screen-of-death-bsod-posting-instructions-windows-10-81-8-7-vista/ FYI - I don't often use the Perfmon report, so if it doesn't work please just let me know. NOTE: On problem systems it can take up to 20 minutes for the log files to complete. Please be patient and let it run. If you still have problems with it running, there's an alternate tool here (direct download link): https://github.com/blueelvis/BSOD-Inspector/releases/download/1.0.5/BSODInspector-1.0.5.exeNOTE: Please zip up the (.ZIP) files - do not use .RAR, .7z or other compression utilities. .ZIP is the type file that can be uploaded to the forums. Link to post Share on other sites More sharing options...
Anach Posted January 29, 2017 ID:1097012 Share Posted January 29, 2017 Still the same with 3.06. Haven't got to the logs yet. Will do soon. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now