Jump to content
exile360

BAD_POOL_HEADER BSOD

Recommended Posts

I'm not sure what caused it, but I just had a BSOD.  Minidump attached.

041318-6021-01.zip

I'm uploading the MEMORY.DMP to WeTransfer (147MB compressed to ZIP with WinRAR).  I'll provide the link once it's done (slow DSL so it will be a while).

Edited by exile360

Share this post


Link to post
Share on other sites

It's not often that a lone memory dump is able to pinpoint the cause of a BSOD.  As such, Please run this report collecting tool so that we can provide a complete analysis: (from the pinned topic at the top of the forum):  https://forums.malwarebytes.org/topic/170037-blue-screen-of-death-bsod-posting-instructions-windows-10-81-8-7-vista/

FYI - I don't often use the Perfmon report, so if it doesn't work please just let me know.
NOTE:  On problem systems it can take up to 20 minutes for the log files to complete.  Please be patient and let it run.

If you still have problems with it running, there's an alternate tool here (direct download link):  https://github.com/blueelvis/BSOD-Inspector/releases/download/1.0.5/BSODInspector-1.0.5.exe

NOTE:
Please zip up the (.ZIP) files - do not use .RAR, .7z or other compression utilities.
.ZIP is the type file that can be uploaded to the forums.

 

Here's the analysis of the memory dump(s):

FYI - the MEMORY,dmp file was generated during the BSOD crash - and the minidump was extracted from it.
There's a lot more information in the stack text for the MEMORY.dmp file - so we'll concentrate on that.

The stack text shows several different drivers that were involved in the crashf:
 

Quote

**************************Fri Apr 13 12:34:29.549 2018 (UTC - 4:00)**************************
STACK_TEXT:  
fffff880`0b346ff8 fffff800`03047253 : 00000000`00000019 00000000`00000003 fffff800`03065f50 00000000`00000000 : nt!KeBugCheckEx
fffff880`0b347000 fffff880`017441a7 : fffff880`00000000 fffff880`0b347180 00000000`000000a0 fffffa80`00000000 : nt!ExFreePool+0x4fb
fffff880`0b3470f0 fffff880`01769a9a : 00000000`000004d8 fffffa80`133e8010 00000000`000003f4 00000000`00000000 : NETIO!WfpPoolAllocNonPaged+0x17
fffff880`0b347120 fffff880`0176a92d : 00000000`000004d8 fffff880`0b3471c0 00000000`00000588 fffffa80`133e8010 : NETIO!FeCopyIncomingValues+0x7a
fffff880`0b347180 fffff880`0176b8dc : 00000000`00000000 00000000`00000000 00000000`00000000 fffffa80`133e8010 : NETIO!DeepCopyOnStackClassifyParams+0x2d
fffff880`0b3471c0 fffff880`0156c1d9 : 00000155`00000155 00000000`00000000 fffffa80`1331c7d0 00000000`00000155 : NETIO!FePendClassify+0x15c
fffff880`0b347230 fffff880`0b7a3964 : 00000000`00000000 fffff880`0b7ad840 fffff880`0b347390 00000000`00000008 : fwpkclnt!FwpsPendClassify0+0x39
fffff880`0b347260 fffff880`0b7a17ba : 00000155`00000155 fffff880`0b7adbc0 fffff880`0b7a12f8 fffff880`0b347380 : mwac+0x8964
fffff880`0b3472a0 fffff880`0b7a03ef : 00000000`00000000 fffff880`0b7adbc0 00000000`00000000 fffff880`0b347390 : mwac+0x67ba
fffff880`0b3472d0 fffff880`0b7a2920 : 00000000`00000000 fffff880`0b7ad840 00000000`00000006 fffff880`00000005 : mwac+0x53ef
fffff880`0b347330 fffff880`018d6b38 : fffff880`0b347618 fffff880`0168b3a7 00000000`00000002 fffff880`01678295 : mwac+0x7920
fffff880`0b347470 fffff880`01757b81 : fffff880`0b347ba0 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!AlePostProcessClassify+0xd8
fffff880`0b3474c0 fffff880`0174017c : fffffa80`126c0042 fffff880`0b347998 fffff880`0b347ba0 fffff880`0b347bd0 : NETIO! ?? ::FNODOBFM::`string'+0x7261
fffff880`0b3475f0 fffff880`018a6970 : 00000000`00000011 fffff880`0b347998 00000000`00000000 fffff880`0b347bd0 : NETIO!KfdClassify+0x24c
fffff880`0b347960 fffff880`01925b56 : 00000000`00000002 fffff880`0b3485e8 fffffa80`125e2080 00000000`00000000 : tcpip! ?? ::FNODOBFM::`string'+0x100e0
fffff880`0b348040 fffff880`018bbeb8 : 00000000`00000000 fffff880`0b3485e8 00000000`00000000 00000000`00000000 : tcpip!ProcessRedirectLayerForNonNativeTCP+0x266
fffff880`0b3482a0 fffff880`01840e86 : 00000000`000200ff 00000000`00000000 00000000`00000000 fffffa80`13283d50 : tcpip! ?? ::FNODOBFM::`string'+0x264a5
fffff880`0b348510 fffff880`018917c4 : fffffa80`13283d50 fffffa80`12f574b0 00000000`000057f1 fffff880`0188bb01 : tcpip!WfpProcessOutTransportStackIndication+0x326
fffff880`0b3486b0 fffff880`0185d60f : fffffa80`0f14f858 fffffa80`0f14f90c fffff880`0b348b40 00000000`00000001 : tcpip!IppInspectLocalDatagramsOut+0x264
fffff880`0b348790 fffff880`0185fa3e : 00000000`00000000 fffff880`0173cf04 fffffa80`13283d50 fffffa80`12f574b0 : tcpip!IppSendDatagramsCommon+0x7ef
fffff880`0b348930 fffff880`0183cd61 : fffffa80`13283d50 fffffa80`125e0080 fffffa80`13b93380 00000000`00000001 : tcpip!IpNlpSendDatagrams+0x3e
fffff880`0b348970 fffff880`0183cfbe : fffffa80`13b93380 fffffa80`132a53d0 fffff8a0`00098430 00000000`00000000 : tcpip!UdpSendMessagesOnPathCreation+0x6d1
fffff880`0b348cf0 fffff880`0183d505 : fffff880`0b349230 fffffa80`0000bb01 00000000`00000000 00000000`00000000 : tcpip!UdpSendMessages+0x1ee
fffff880`0b3490e0 fffff800`02eca3d9 : fffffa80`12b326d0 00000000`00000050 fffffa80`132249c0 00000000`000007ff : tcpip!UdpTlProviderSendMessagesCalloutRoutine+0x15
fffff880`0b349110 fffff880`0183d598 : fffff880`0183d4f0 fffff880`0b349230 fffff880`00000000 fffffa80`13279901 : nt!KeExpandKernelStackAndCalloutEx+0x2c9
fffff880`0b349200 fffff880`01070696 : fffffa80`0f11a400 fffffa80`132797a0 fffffa80`12d3f340 fffffa80`132a53d0 : tcpip!UdpTlProviderSendMessages+0x78
fffff880`0b349280 fffff880`01069223 : fffffa80`13279900 fffffa80`132a53d0 00000000`00000000 fffffa80`132797a0 : tdx!TdxSendTransportAddress+0x1d6
fffff880`0b349320 fffff880`0b733c09 : 00000000`00000000 fffff880`01061c0d fffffa80`13279900 fffffa80`132797a0 : tdx! ?? ::FNODOBFM::`string'+0x3410
fffff880`0b3493a0 fffff880`0b72dd13 : fffffa80`132797a0 fffff880`0b349b60 fffffa80`0f247e30 00000000`00000000 : hmpnet+0x7c09
fffff880`0b3493f0 fffff880`0b737cb5 : 00000000`00000200 fffff880`0b349760 fffffa80`135a8010 fffff880`0b349760 : hmpnet+0x1d13
fffff880`0b349420 fffff880`02cf3906 : 00000000`00000200 fffff880`0b349b60 fffff880`0b349760 00000000`00000200 : hmpnet+0xbcb5
fffff880`0b349450 fffff880`02cc842e : fffffa80`135a8010 fffff880`0b349760 00000000`00000200 fffffa80`132a53d0 : afd! ?? ::GFJBLGFE::`string'+0x5f47
fffff880`0b349550 fffff800`033240fe : 00000000`00000200 fffffa80`12e1edf0 00000000`00000000 fffff880`02f77180 : afd!AfdFastIoDeviceControl+0x41e
fffff880`0b3498c0 fffff800`031b6f06 : fffff880`0b349ab8 00000000`00000000 00000000`00000000 000000c0`423100f0 : nt!IopXxxControlFile+0x6be
fffff880`0b349a00 fffff800`02f19383 : fffff880`0b349b60 fffffa80`122b8630 fffff880`0b349ab8 00000000`00000001 : nt!NtDeviceIoControlFile+0x56
fffff880`0b349a70 00000000`7781991a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`032efce8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7781991a

Presuming that the problem is with a 3rd party driver (and is not with MalwareBytes), then the most likely culprit is hmpnet.sys - a HitmanPro.Alert WFP Driver
I suggest uninstalling HitmanPro and seeing if that stops the problem.

Also, it won't hurt to uninstall/reinstall your chipset, storage controller, and networking drivers
 


Analysis:
The following is for information purposes only.
The following information contains the relevant information from the blue screen analysis:
**************************Fri Apr 13 12:34:29.549 2018 (UTC - 4:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\MEMORY.DMP]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Built by: 7601.24094.amd64fre.win7sp1_ldr_escrow.180330-1600
System Uptime:0 days 0:50:44.314
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for hmpnet.sys
Probably caused by :Pool_Corruption ( nt!ExFreePool+4fb )
BugCheck 19, {3, fffff80003065f50, 0, fffff80003065f50}
BugCheck Info: BAD_POOL_HEADER (19)
Arguments:
Arg1: 0000000000000003, the pool freelist is corrupt.
Arg2: fffff80003065f50, the pool entry being checked.
Arg3: 0000000000000000, the read back flink freelist value (should be the same as 2).
Arg4: fffff80003065f50, the read back blink freelist value (should be the same as 2).
BUGCHECK_STR:  0x19_3
PROCESS_NAME:  dnscrypt-proxy.exe
FAILURE_BUCKET_ID: X64_0x19_3_nt!ExFreePool+4fb
CPUID:        "Intel(R) Core(TM) i7-7700K CPU @ 4.20GHz"
MaxSpeed:     4200
CurrentSpeed: 4200
  BIOS Version                  1.06.11
  BIOS Release Date             07/27/2017
  Manufacturer                  Eurocom
  Product Name                  Sky X4E2G
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Fri Apr 13 12:34:29.549 2018 (UTC - 4:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\041318-6021-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Built by: 7601.24094.amd64fre.win7sp1_ldr_escrow.180330-1600
System Uptime:0 days 0:50:44.314
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by :Pool_Corruption ( nt!ExFreePool+4fb )
BugCheck 19, {3, fffff80003065f50, 0, fffff80003065f50}
BugCheck Info: BAD_POOL_HEADER (19)
Arguments:
Arg1: 0000000000000003, the pool freelist is corrupt.
Arg2: fffff80003065f50, the pool entry being checked.
Arg3: 0000000000000000, the read back flink freelist value (should be the same as 2).
Arg4: fffff80003065f50, the read back blink freelist value (should be the same as 2).
BUGCHECK_STR:  0x19_3
PROCESS_NAME:  dnscrypt-proxy
FAILURE_BUCKET_ID: X64_0x19_3_nt!ExFreePool+4fb
CPUID:        "Intel(R) Core(TM) i7-7700K CPU @ 4.20GHz"
MaxSpeed:     4200
CurrentSpeed: 4200
  BIOS Version                  1.06.11
  BIOS Release Date             07/27/2017
  Manufacturer                  Eurocom
  Product Name                  Sky X4E2G
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
 


3rd Party Drivers:
The following is for information purposes only.
My recommendations were given above. The drivers that follow belong to software or devices that were not developed by Microsoft.  You can find links to the driver information and where to update the drivers in the section after the code box:
**************************Fri Apr 13 12:34:29.549 2018 (UTC - 4:00)**************************
MpKslf41d28ac.sys           Mon Feb 27 20:54:41 1989 (2409FBE1)
intelppm.sys                Mon Jul 13 19:19:25 2009 (4A5BC0FD)
MBfilt64.sys                Thu Jul 30 23:40:32 2009 (4A7267B0)
amdxata.sys                 Fri Mar 19 12:18:18 2010 (4BA3A3CA)
IaNVMeF.sys                 Tue Jul  7 04:23:47 2015 (559B8C93)
HKKbdFltr.sys               Fri Oct 16 03:45:39 2015 (5620AB23)
HKMouFltr.sys               Fri Oct 16 03:45:44 2015 (5620AB28)
RtsPer.sys                  Wed Jan 13 02:31:14 2016 (5695FD42)
e2xw7x64.sys                Fri Feb  5 17:44:58 2016 (56B525EA)
cpumcupdate64.sys           Tue May 31 08:59:16 2016 (574D8AA4)
ALSysIO64.sys               Wed Jul  6 12:47:33 2016 (577D3625)
SynTP.sys                   Wed Jul 27 17:39:55 2016 (57992A2B)
Smb_driver_Intel.sys        Wed Jul 27 17:40:32 2016 (57992A50)
MpFilter.sys                Mon Aug  8 19:01:17 2016 (57A90F3D)
RTKVHD64.sys                Tue Nov 29 08:12:39 2016 (583D7EC7)
hmpnet.sys                  Sat Dec 31 05:26:02 2016 (586787BA)
mbae64.sys                  Wed Jan 11 12:08:00 2017 (58766670)
iusb3hub.sys                Tue Mar 28 09:43:26 2017 (58DA687E)
iusb3xhc.sys                Tue Mar 28 09:43:28 2017 (58DA6880)
XtuAcpiDriver.sys           Wed Apr 12 04:58:50 2017 (58EDEC4A)
ICCWDT.sys                  Thu May  4 07:42:54 2017 (590B13BE)
iocbios2.sys                Fri Sep 15 06:22:21 2017 (59BBA9DD)
secnvmeF.sys                Thu Oct 12 05:30:01 2017 (59DF3619)
dump_secnvme.sys            Thu Oct 12 05:30:05 2017 (59DF361D)
secnvme.sys                 Thu Oct 12 05:30:05 2017 (59DF361D)
Netwsw04.sys                Mon Oct 23 09:48:18 2017 (59EDF322)
TeeDriverx64.sys            Sun Nov 19 06:39:31 2017 (5A116D73)
nvhda64v.sys                Fri Dec 15 03:17:43 2017 (5A338527)
sgx_driver.sys              Mon Jan 15 01:24:18 2018 (5A5C4912)
farflt.sys                  Wed Mar  7 09:25:24 2018 (5A9FF654)
mbamswissarmy.sys           Wed Mar  7 10:54:57 2018 (5AA00B51)
mbam.sys                    Wed Mar  7 12:45:05 2018 (5AA02521)
nvlddmkm.sys                Thu Mar 15 18:18:03 2018 (5AAAF11B)
mwac.sys                    Sat Mar 24 11:27:36 2018 (5AB66E68)
hmpalert.sys                Thu Mar 29 09:10:15 2018 (5ABCE5B7)
 


MpKslf41d28ac.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=intelppm.sys
http://www.carrona.org/drivers/driver.php?id=MBfilt64.sys
http://www.carrona.org/drivers/driver.php?id=amdxata.sys
IaNVMeF.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=HKKbdFltr.sys
http://www.carrona.org/drivers/driver.php?id=HKMouFltr.sys
http://www.carrona.org/drivers/driver.php?id=RtsPer.sys
e2xw7x64.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
cpumcupdate64.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=ALSysIO64.sys
http://www.carrona.org/drivers/driver.php?id=SynTP.sys
http://www.carrona.org/drivers/driver.php?id=Smb_driver_Intel.sys
http://www.carrona.org/drivers/driver.php?id=MpFilter.sys
http://www.carrona.org/drivers/driver.php?id=RTKVHD64.sys
http://www.carrona.org/drivers/driver.php?id=hmpnet.sys
http://www.carrona.org/drivers/driver.php?id=mbae64.sys
http://www.carrona.org/drivers/driver.php?id=iusb3hub.sys
http://www.carrona.org/drivers/driver.php?id=iusb3xhc.sys
http://www.carrona.org/drivers/driver.php?id=XtuAcpiDriver.sys
http://www.carrona.org/drivers/driver.php?id=ICCWDT.sys
http://www.carrona.org/drivers/driver.php?id=iocbios2.sys
http://www.carrona.org/drivers/driver.php?id=secnvmeF.sys
http://www.carrona.org/drivers/driver.php?id=dump_secnvme.sys
http://www.carrona.org/drivers/driver.php?id=secnvme.sys
Netwsw04.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=TeeDriverx64.sys
http://www.carrona.org/drivers/driver.php?id=nvhda64v.sys
sgx_driver.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=farflt.sys
http://www.carrona.org/drivers/driver.php?id=mbamswissarmy.sys
http://www.carrona.org/drivers/driver.php?id=mbam.sys
http://www.carrona.org/drivers/driver.php?id=nvlddmkm.sys
http://www.carrona.org/drivers/driver.php?id=mwac.sys
hmpalert.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.

 

Share this post


Link to post
Share on other sites

If it is being caused by HMP.Alert, then Malwarebytes probably has some compatibility work to do (because it was likely caused by a conflict between the two if that's the case).  That said, it also might be Adblock Plus for IE.  It did cause a crash recently when it updated to a new version (a common occurrence unfortunately, but generally it only happens when it updates which isn't often).

perfmon report.zip

SysnativeFileCollectionApp.zip

Share this post


Link to post
Share on other sites

There's a lot of networking issues on your system - as such I think that this is an issue with your system alone, and not a compatibility issue.
If this was a compatibility issue (IMO) there would be many more problems with HMP and MalwareBytes - which we're just not seeing here or in other forums.

Looking at the perfmon report, the networking section of your Device Manager appears full of problem devices.  Right click on all of the problem devices and select "Uninstall".  If it prompts you to remove the software, select that box (to remove it).  Then reboot the system and check to see if the devices have returned.  In particular, the ISATAP will probably not come back.

Do the same thing with any of the disabled devices and see if they return.  Then generate a new perfmon report (so we can look for the remaining errors)

Any devices starting with MpKsl are temporary drivers related to Microsoft Security Essentials.  Please ensure that any of these drivers are enabled in Device Manager - then uninstall MSSE.  Feel free to download a fresh new copy and install/update that.

Only 219 Windows Update hotfixes installed.  Most systems with SP1 have 350-400 or more.  Please visit Windows Update and get ALL available updates (it may take several trips to get them all).
The actual number is not important.  Rather it's important that you checked manually, installed any available updates, and didn't experience any errors when checking or updating.

Here's a list of problem devices in the MSINFO32 report:  The Not Available device is likely a driver for a Synaptics biometric device

Quote

Microsoft ISATAP Adapter #4    ROOT\*ISATAP\0003    This device cannot start.
Microsoft ISATAP Adapter #5    ROOT\*ISATAP\0004    This device cannot start.
MpKsl1e15e811    ROOT\LEGACY_MPKSL1E15E811\0000    This device is not present, is not working properly, or does not have all its drivers installed.
Microsoft Virtual WiFi Miniport Adapter    {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&195B0D6C&0&01    This device is disabled.
MpKsl3176f446    ROOT\LEGACY_MPKSL3176F446\0000    This device is not present, is not working properly, or does not have all its drivers installed.
Microsoft Virtual WiFi Miniport Adapter #2    {5D624F94-8850-40C3-A3FA-A4FD2080BAF3}\VWIFIMP\5&195B0D6C&0&02    This device is disabled.
Not Available    USB\VID_06CB&PID_0078\71279800A7AD    The drivers for this device are not installed.
MpKslf41d28ac    ROOT\LEGACY_MPKSLF41D28AC\0000    This device is not present, is not working properly, or does not have all its drivers installed.
Remote Desktop Device Redirector Bus    ROOT\RDPBUS\0000    This device is disabled.

There are only 7 entries in the WER section of the MSINFO32 report.  All date from 13 April 2018.  In a system with the OS having been reinstalled in January - there should be many other entries.  Have you been tweaking the system, and if so, what did you turn off?

Share this post


Link to post
Share on other sites

I deliberately disabled those devices.  Those are the extra network connections that MS creates which aren't actually required for internet access.  They're used for other things like file and printer sharing, which I deliberately disable/cripple on all of my machines for security.

I also use SimpleDNSCrypt, so that could also be a factor here.

By the way, I've also noticed that the slow shutdown/inability to shutdown issue caused by Malwarebytes on Windows 7 x64 is back in version 3.4.5.  It was fixed in the last 2 or so releases but has re-emerged in the latest build (I've seen previously affected customers reporting the same as what I'm seeing).  I don't know if it's related, but I do notice that the system is overall a lot less stable with MB3 running than without.

Share this post


Link to post
Share on other sites

By the way, my Windows is fully up to date.  Since MS started rolling everything up into a monthly quality of service/security update each month, the number of updates installed has dropped significantly.  I've already installed this month's patches and Windows Update shows no available updates (neither important or optional).

Share this post


Link to post
Share on other sites

I uninstalled the disabled network adapters then scanned for hardware changes and the MS Virtual Wifi Miniport Adapters returned, so I disabled them again.  This is why I didn't remove them before, because MS always tries to reinstall them, so disabling them is the only way to keep them from becoming active.

Share this post


Link to post
Share on other sites

OK, I'm back.  I rebooted the system after doing all of that.  Here's the new report.

And yes, my system is heavily "tweaked".  I've disabled several unnecessary services and Windows components.  I don't have a complete list, but can provide you with some of the files and tools I use if required.  None of them are dependencies required by Malwarebytes.

perfmon report.zip

Share this post


Link to post
Share on other sites

Oh, and you are correct, the unknown device is indeed the biometric fingerprint reader that I disabled/removed the driver for.

Share this post


Link to post
Share on other sites

I haven't disabled any of MSE's drivers either.  Here's an Autoruns log if you want to have a look at the items I have disabled (you need to download Autoruns.exe from MS Sysinternals to read it, or I can export a text version if you prefer; I just find them easier to read in Autoruns).

EXILE-PCII.zip

Share this post


Link to post
Share on other sites

Here's a list of running services also if  you wish to take a look (you can compare it to BlackViper's default list or a Windows 7 x64 SP1 system if you have access to one for comparison if needed).

Services.zip

Share this post


Link to post
Share on other sites

OK, let's first discuss how to troubleshoot BSOD's....
The best way is to sit by your computer with a live debugger hooked up and wait for the system to BSOD.  This is much better and easier if you can make the system BSOD on demand.  It also takes a skilled analyst to work their way through the details of the crash and trying to find the cause (which is often different from what the debugger says.  That takes a long time and because of the skill involved is very expensive.

So, for more usual conditions, we work on identifying the most likely components and try to test each of them in order to find out which is at fault.  This is a game of percentages and of what's more likely and less likely (which is where the experience of a BSOD analyst comes in handy :0)

The tweaks make it more difficult - but in this case they are less likely to be at fault than if they had just been done.  So, for now, we'll disregard all but the most obvious tweak stuff (those that affects the networking - as the networking is what's to blame in the memory dump.

BUT - remember, a single memory dump may be misleading.  It may point to another cause just because the error happened to occur when that instruction crashed.  This is most often the case with hardware errors, but can also sometimes be attributed to software type errors.

Then, also remember that a BSOD can be simple (the cause is pointed to in the memory dump and usually involves only 1 driver/piece of hardware/or a compatibility issue) - or it can be complex (where it involves more than one driver/hardware/compatibility issue).  How to tell which is which?  Most often it's the result of prolonged analysis of numerous memory dumps.

Finally, there's the piece of hardware with no drivers installed.  Windows doesn't know what to do with it (and most times ignores it), but it can cause system wide problems (so ALL devices must have up to date drivers installed).  So, please install the drivers for the Synaptics device.

 

So, onto my questions:
- Have you tested for BSOD's after temporarily removing HitManPro?  If so, what were the results?
- Did the ISATAP adapters stay removed when you rebooted?
- Have you tested the other adapters to see if the BSOD occurs when they are enabled

Quote

I deliberately disabled those devices.  Those are the extra network connections that MS creates which aren't actually required for internet access.  They're used for other things like file and printer sharing, which I deliberately disable/cripple on all of my machines for security.

- So, do the networking drivers (to include the MalwareBytes and HitManPro drivers) attempt to access/connect to those devices?  Could it be that their attempting to contact (and failing) could at least be contributing to the problem?  The simplest way is to temporarily enable them and test to see if the BSOD goes away.

Intel(R) Wireless Bluetooth has problems with it's configuration.  Please uninstall it's software, then download and reinstall a fresh copy of the latest driver package software from the manufacturer's support website and see if that fixes the error in the Perfmon report.

Looked at the Autoruns info - and there's an awful lot of networking stuff disabled.  But let's ignore it for now as you didn't relate problems with it previously.
The same goes for the services list.  FWIW - I'd spoken with Mark Russinovich and Black Viper (years ago) about their work - and am very impressed and respectful of the work that they have done.

 

Beyond that, you can try running Driver Verifier to force crashes (and it may give us a bit more info about the culprit).  Please use these instructions and let it crash 3 times so we get a good selection of memory dumps:  http://www.carrona.org/verifier.html


Good luck!
 

 

 

 

Share this post


Link to post
Share on other sites

Honestly, I've only had this BSOD the one time, it was while streaming Netflix and I have attempted to repeat the same conditions and activities and haven't been able to replicate it.  I should also note that I've since updated my graphics card drivers as NVIDIA published a new version recently, so it is possible that the last BSOD was either a one-off issue that has yet to return (and may never for all I know) or that it was due to my previous graphics driver.  I did have this driver version for over a month without issues, so it does seem at least unlikely, but I suppose you never know what might cause an issue and what combination of circumstances might result in such an issue/crash.  It could have been that it just so happened that one or more of my security apps was running a scheduled update while I was streaming and some combination of background processes/activities triggered the BSOD.  I really can't say at this point because as I said, it only happened the one time and has yet to return.

- Have you tested for BSOD's after temporarily removing HitManPro?  If so, what were the results?
- Did the ISATAP adapters stay removed when you rebooted?
- Have you tested the other adapters to see if the BSOD occurs when they are enabled

No, I haven't removed HitmanPro to test, but as I said, the BSOD has yet to return so I'm uncertain at this point what to do to replicate it.

Yes, the ISATAP adapters did stay removed, but the two MS Wifi Virtual Miniport Adapters did not stay removed so I ended up disabling them again.

No, I haven't, but I had them all disabled when the BSOD occurred originally and the only major changes since would be the graphics driver I mentioned and I also since updated my Intel wireless drivers/software since the incident occurred since you mentioned it looked like it had to do with one or more of my network drivers, though the system seemed stable and had no BSODs the days prior to updating those drivers so I'm leaning towards some anomalous issue at this point, most likely caused by either something MB3 was doing (like the intermittent BSODs mentioned by others with version 3.4.5) or by one of the other apps on my system doing something uncommon or during one or more uncommon activities.  As I said, I've tried to replicate those original conditions when the issue occurred but haven't succeeded in replicating the crash.

No idea, but I doubt it since, at least for Malwarebytes, it works directly through the network stack via WFP, so I don't think it would even be able to see any disabled drivers/devices, at least if I understand how that technology and its APIs function (which I admit I have only a passing knowledge of, so I'm far from an expert).

With regards to the Bluetooth stuff, that again was me deliberately disabling/crippling it as I do not use Bluetooth and wouldn't want it to be available as a possible way into my system (I was one of those who, when Wannacry/WannaCrypt0r came around, was already immune thanks to the fact that I already had SMB and its related networking components/protocols removed/disabled/crippled before those attacks ever happened and even before anyone knew about the EternalBlue exploit/vulnerability).

I think at this point I'll just keep using my system normally as it is and see if the issue eventually returns, and if so, I'll keep saving the dumps and configuration info and try to narrow it down by testing disabling/enabling different things until I can hopefully isolate the root cause of the issue.  I totally understand why determining with absolute certainty the root cause of a crash can be difficult since, while the system is attempting to dump memory to document the cause of the issue, a lot is already going on (and going wrong) through the process of the crash itself, much less whatever's going wrong that causes it and how that might affect other applications/processes/drivers etc.

Besides, this makes me pretty nervous since this is my one and only system which I require for work and pretty much everything else I do (no TV, no smart phone, just me and my PC):

Other times it'll crash before you can log in to Windows.
If you can't get to Safe Mode, then you'll have to resort to offline editing of the registry to disable Driver Verifier.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.