BSOD with tcpip.sys

ahmadmob · October 13, 2018

Hello,

I got my first BSOD since years, it was related tcpip.sys with DRIVER_IRQL_NOT_LESS_OR_EQUAL

I ran analysis on the minidump file and it said:

Module load completed but symbols could not be loaded for mwac.sys

I included the dump file in an attachment if someone wants to do their analysis on it.

Here's the full dump file analysis:

Quote

Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [J:\101218-10984-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 17763 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 17763.1.amd64fre.rs5_release.180914-1434
Machine Name:
Kernel base = 0xfffff801`69e12000 PsLoadedModuleList = 0xfffff801`6a231a50
Debug session time: Fri Oct 12 05:36:51.096 2018 (UTC + 3:00)
System Uptime: 0 days 7:28:03.639
Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................................
................................................................
......................................................
Loading User Symbols
Loading unloaded module list
.............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {a8, 2, 0, fffff8016ca79790}

*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by : memory_corruption

Followup: memory_corruption
---------

4: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000000000a8, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8016ca79790, address which referenced memory

Debugging Details:
------------------

READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
00000000000000a8

CURRENT_IRQL: 2

FAULTING_IP:
tcpip!TcpCloseTcb+298
fffff801`6ca79790 428b04c2        mov     eax,dword ptr [rdx+r8*8]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: CODE_CORRUPTION

BUGCHECK_STR: AV

PROCESS_NAME: MBAMService.ex

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

TRAP_FRAME: ffff8a0c4476ea70 -- (.trap 0xffff8a0c4476ea70)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000007 rbx=0000000000000000 rcx=ffffb980aa567180
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8016ca79790 rsp=ffff8a0c4476ec00 rbp=ffff8a0c4476ed00
r8=0000000000000015 r9=0000000000000002 r10=0000000040000821
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
tcpip!TcpCloseTcb+0x298:
fffff801`6ca79790 428b04c2        mov     eax,dword ptr [rdx+r8*8] ds:00000000`000000a8=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80169fd4669 to fffff80169fc2f30

STACK_TEXT:
ffff8a0c`4476e928 fffff801`69fd4669 : 00000000`0000000a 00000000`000000a8 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffff8a0c`4476e930 fffff801`69fd0a8e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffff8a0c`4476ea70 fffff801`6ca79790 : ffffca8e`b13be8f0 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x44e
ffff8a0c`4476ec00 fffff801`6cb3cf0c : 00000000`00000100 00000000`37f5ad5b 00000000`00000000 00000000`00000100 : tcpip!TcpCloseTcb+0x298
ffff8a0c`4476ed50 fffff801`6ca868e5 : ffffca8e`b1075550 00000000`00000200 00000000`00000000 00000000`00000000 : tcpip!TcpCreateAndConnectTcbRateLimitComplete+0xb4200
ffff8a0c`4476efc0 fffff801`6ca86719 : 00000000`00000200 00000000`00000200 ffffca8e`aa93e740 00000000`00000040 : tcpip!TcpCreateAndConnectTcbInspectConnectComplete+0x75
ffff8a0c`4476f0a0 fffff801`6ca860a8 : 00000000`00000000 ffffca8e`b13be8f0 00000000`00000000 ffffca8e`b13be8f0 : tcpip!TcpContinueCreateAndConnect+0x565
ffff8a0c`4476f2b0 fffff801`6cba1154 : ffffca8e`00000000 00000000`00000002 ffffca8e`acb46d70 fffff801`693a4880 : tcpip!TcpCreateAndConnectTcbInspectConnectRequestComplete+0x118
ffff8a0c`4476f3c0 fffff801`6c9ad9c5 : ffffca8e`acb46d70 ffffca8e`a2bc4690 ae0639ab`b820b6cc 00000000`00000000 : tcpip!AlepReleaseConnectRequestInspectContext+0x54
ffff8a0c`4476f410 fffff801`6c9aea10 : fffff801`693a4c00 ffffca8e`aa93e7d0 fffff801`693a4880 ffffca8e`b0ed77d0 : NETIO!ClassifyContextCleanupRoutine+0x55
ffff8a0c`4476f440 fffff801`6c9ae7f2 : 00000000`000006ae ffffca8e`00000000 ae0639ab`b820b6cc fffff801`69395958 : NETIO!WfpObjectDereference+0x20
ffff8a0c`4476f470 fffff801`6cd36270 : 00000000`000006ae fffff801`693a4880 ffff8a0c`4476f508 00000000`00000000 : NETIO!FeReleaseClassifyHandle+0x32
ffff8a0c`4476f4a0 fffff801`69398609 : ffffca8e`b0ed77d0 00000000`00000002 fffff801`693a4880 00000000`00000000 : fwpkclnt!FwpsReleaseClassifyHandle0+0x10
ffff8a0c`4476f4d0 ffffca8e`b0ed77d0 : 00000000`00000002 fffff801`693a4880 00000000`00000000 fffff801`693a4c40 : mwac+0x8609
ffff8a0c`4476f4d8 00000000`00000002 : fffff801`693a4880 00000000`00000000 fffff801`693a4c40 fffff801`69399553 : 0xffffca8e`b0ed77d0
ffff8a0c`4476f4e0 fffff801`693a4880 : 00000000`00000000 fffff801`693a4c40 fffff801`69399553 ffffca8e`b0ed77d0 : 0x2
ffff8a0c`4476f4e8 00000000`00000000 : fffff801`693a4c40 fffff801`69399553 ffffca8e`b0ed77d0 fffff801`00000002 : mwac+0x14880

STACK_COMMAND: kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
    fffff80169f85671 - nt!MiZeroPageThread+191
   [ f6:9d ]
1 error : !nt (fffff80169f85671)

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MEMORY_CORRUPTOR: ONE_BYTE

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BYTE

BUCKET_ID: MEMORY_CORRUPTION_ONE_BYTE

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:memory_corruption_one_byte

FAILURE_ID_HASH: {ad110d6a-3b33-2c0a-c931-570eae1ba92d}

Followup: memory_corruption
---------

Thanks in advance.

101218-10984-01.dmp

usasma · October 13, 2018

This message simply means that the symbol server (at Microsoft) doesn't contain symbols for mwac.sys (a MalwareBytes driver)

Quote

Module load completed but symbols could not be loaded for mwac.sys

If the BSOD's are recurring, then try:
- ensuring that you have the latest version of MalwareBytes installed and that it is fully updated.
- disabling the web protection component of MalwareBytes (if updating doesn't stop the BSOD's)

This can be caused by older versions of MalwareBytes, or by other 3rd party drivers that aren't able to work well with MalwareBytes

If the BSOD's still continue, Please run this report collecting tool so that we can provide a complete analysis: (from the pinned topic at the top of the forum): https://forums.malwarebytes.org/topic/170037-blue-screen-of-death-bsod-posting-instructions-windows-10-81-8-7-vista/

FYI - I don't often use the Perfmon report, so if it doesn't work please just let me know.
NOTE: On problem systems it can take up to 20 minutes for the log files to complete. Please be patient and let it run.

If you still have problems with it running, there's an alternate tool here (direct download link): https://github.com/blueelvis/BSOD-Inspector/releases/download/1.0.5/BSODInspector-1.0.5.exe

NOTE:
Please zip up the (.ZIP) files - do not use .RAR, .7z or other compression utilities.
.ZIP is the type file that can be uploaded to the forums.

ahmadmob · October 13, 2018

Alright. Thanks a lot usasma :)

So far the BSOD only occurred one time, if it reoccurs I will do what you suggested.

I already have the latest version of MalwareBytes 3.6.1 and I updated my Intel Gigabit LAN drivers after the BSOD and will see how things go now.

The BSOD happened when I was downloading 3 files in Internet Download Manager. I believe that MWB at that moment (right before the BSOD) stressed the LAN driver or was phoning home, something like this that caused a conflict of some sort.

usasma · October 13, 2018

I’m not an official MalwareBytes person, I’m just a volunteer here.

IMO, the mwac.sys driver is a very delicate driver that is also very complicated in its functions. As a consequence, the slightest instability in another driver is a recipe for disaster. Finally, as technology matures, we’re finding more and more programs that install drivers and interact with the internet/network

As such, the more one asks from their system, the more chance there is for instabilities with the system.

When I first started doing this, BSOD’s were fairly easy to isolate a single driver as a cause. Again, as technology has matured, BSOD’s have also become more complicated and we’re now finding that interactions between drivers (causing BSOD’s) are becoming much more common.

usasma · October 13, 2018

Daemon Tools drivers date from 2015 - that's very old for a known problem program
I suggest uninstalling that program. If you MUST keep it, then be sure to get the latest available version.

Older versions on Daemon Tools were known to spit out BSOD's quite frequently. I haven't seen many recently (but haven't been as active in BSOD analysis as I used to be).

Also, as you get time, please run these free hardware diagnostics: http://www.carrona.org/hwdiag.html
I don't strongly suspect a hardware issue - but it is a possibility (seen sometimes with the MEMORY_CORRUPTION_ONE_BYTE Failure Bucket ID)

Analysis:
The following is for information purposes only.
The following information contains the relevant information from the blue screen analysis:
**************************Thu Oct 11 22:36:51.096 2018 (UTC - 4:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\101218-10984-01.dmp]
Windows 10 Kernel Version 17763 MP (12 procs) Free x64
Built by: 17763.1.amd64fre.rs5_release.180914-1434
System Uptime:0 days 7:28:03.639
*** WARNING: Unable to verify timestamp for mwac.sys
*** ERROR: Module load completed but symbols could not be loaded for mwac.sys
Probably caused by :memory_corruption
BugCheck D1, {a8, 2, 0, fffff8016ca79790}
BugCheck Info: DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
Arguments:
Arg1: 00000000000000a8, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8016ca79790, address which referenced memory
BUGCHECK_STR: AV
DEFAULT_BUCKET_ID: CODE_CORRUPTION
PROCESS_NAME: MBAMService.exe
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BYTE
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``

3rd Party Drivers:
The following is for information purposes only.
My recommendations were given above. The drivers that follow belong to software or devices that were not developed by Microsoft. You can find links to the driver information and where to update the drivers in the section after the code box:
**************************Thu Oct 11 22:36:51.096 2018 (UTC - 4:00)**************************
intelppm.sys                Wed Feb 8 18:16:35 2012 (4F330253)
AsIO.sys                    Wed Aug 22 05:54:47 2012 (5034AC67)
dtlitescsibus.sys           Thu Sep 24 16:17:21 2015 (56045A51)
dtliteusbbus.sys            Mon Dec 28 08:05:52 2015 (568133B0)
athwnx.sys                  Tue Mar 1 03:39:03 2016 (56D55527)
fltsrv.sys                  Thu Feb 9 13:29:52 2017 (589CB520)
snapman.sys                 Thu Feb 9 14:33:30 2017 (589CC40A)
tib.sys                     Thu Feb 9 18:19:35 2017 (589CF907)
virtual_file.sys            Thu Feb 9 18:56:13 2017 (589D019D)
file_tracker.sys            Thu Feb 9 19:44:21 2017 (589D0CE5)
tib_mounter.sys             Fri Feb 10 12:31:42 2017 (589DF8FE)
e1d65x64.sys                Mon Sep 25 08:45:31 2017 (59C8FA6B)
idmwfp.sys                  Wed Feb 28 14:33:36 2018 (5A970410)
TeeDriverW8x64.sys          Wed Apr 11 10:46:32 2018 (5ACE1FC8)
mbae64.sys                  Wed May 30 07:20:29 2018 (5B0E88FD)
nvhda64v.sys                Tue Jun 26 04:22:26 2018 (5B31F7C2)
RTKVHD64.sys                Thu Aug 2 04:52:59 2018 (5B62C66B)
mbamswissarmy.sys           Fri Aug 24 10:44:58 2018 (5B8019EA)
farflt.sys                  Tue Sep 4 09:45:39 2018 (5B8E8C83)
mbam.sys                    Thu Sep 6 17:08:30 2018 (5B91974E)
mwac.sys                    Wed Sep 12 17:28:27 2018 (5B9984FB)
nvlddmkm.sys                Tue Oct 2 01:26:43 2018 (5BB30193)
dump_dumpstorport.sys       Wed Jul 7 01:29:40 2021 (60E53BC4)
SgrmAgent.sys               ***** Invalid 2018 Invalid 2018 Invalid
afunix.sys                  ***** Invalid 1975 Invalid 1975 Invalid
dump_stornvme.sys           ***** Invalid 2021 Invalid 2021 Invalid
winquic.sys                 ***** Invalid 2013 Invalid 2013 Invalid

Edited October 13, 2018 by usasma

ahmadmob · October 13, 2018

WOW thanks a lot for the detailed and great answer usasma. Really appreciated!

For now I didn't have any more BSODs, I suspect it was something to do with the the Network driver and MWB not playing well together. I also forgot to mention that it happened few days after I upgraded to Win 10 October update, so I think it's all related.

As for hardware, I don't think I have any problem, but still, I cleaned the contacts of my 2 ram sticks. Thanks for the suggestion and the link tho, hopefully I won't need it.

I uninstalled Daemon Tools as you suggested. I just installed it for one occasion and forgot to uninstall it afterwards. I don't need it anyway.

Thanks again, you have been of great help.

usasma · October 14, 2018

Thanks for the kind words! I hope that you don't have any further problems with this - but if you do, we'll be here!

BSOD with tcpip.sys

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Important Information