F
fastartcee
I have been averaging one bsod every three or four days for the past three
weeks. I've done a minidump of the last crash and then used the debugging
tool, which indicated that the "probable cause" was fwpkclnt.sys, but I don't
know what to do about it.
I also did the "kd> !analyze -v" command; all the debugging results are below.
Thanks for any help.
Art
======================================
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\Mini030408-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is:
SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6000.16584.x86fre.vista_gdr.071023-1545
Kernel base = 0x81c00000 PsLoadedModuleList = 0x81d11e10
Debug session time: Tue Mar 4 20:02:27.027 2008 (GMT-8)
System Uptime: 1 days 12:15:25.727
Loading Kernel Symbols
............................................................................................................................................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 100000D1, {98, 2, 0, 8c175f5b}
Unable to load image vsdatant.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for vsdatant.sys
*** ERROR: Module load completed but symbols could not be loaded for
vsdatant.sys
Probably caused by : fwpkclnt.sys (
fwpkclnt!FwpsInjectTransportSendAsync0+220 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000098, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8c175f5b, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac
Unable to read MiSystemVaType memory at 81d117e0
00000098
CURRENT_IRQL: 2
FAULTING_IP:
tcpip!IppProcessRawData+3c
8c175f5b f6401801 test byte ptr [eax+18h],1
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: vsmon.exe
LAST_CONTROL_TRANSFER: from 8c196e50 to 8c175f5b
STACK_TEXT:
96c55904 8c196e50 8c1e29c8 96c55a8c 96c55980 tcpip!IppProcessRawData+0x3c
96c55a64 8c1c032f 00000000 00000007 8c1e29c8 tcpip!IppSendDatagramsCommon+0xbb
96c55afc 8c119e9d 00000000 00000007 86828408 tcpip!IppInspectInjectTlSend+0xd7
96c55b58 8c040dba 86fdd058 00000000 00001c97
fwpkclnt!FwpsInjectTransportSendAsync0+0x220
WARNING: Stack unwind information not available. Following frames may be
wrong.
96c55ba8 8c03e51e 8697a550 84230f80 84230f84 vsdatant+0x26dba
96c55bbc 8c04413e 021eee58 00000001 84230f80 vsdatant+0x2451e
96c55be0 8c0444f0 86760340 00000001 021eee58 vsdatant+0x2a13e
96c55c18 8c043413 86733098 84230f68 86733098 vsdatant+0x2a4f0
96c55c2c 81c27f83 86733098 84230f68 84230f68 vsdatant+0x29413
96c55c44 81d88f37 86760340 84230f68 84230fd8 nt!IofCallDriver+0x63
96c55c64 81d89efb 86733098 86760340 021eee00
nt!IopSynchronousServiceTail+0x1e0
96c55d00 81d8ee55 86733098 84230f68 00000000 nt!IopXxxControlFile+0x6b7
96c55d34 81c8caaa 00000274 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
96c55d34 77c90f34 00000274 00000000 00000000 nt!KiFastCallEntry+0x12a
021eedf0 00000000 00000000 00000000 00000000 0x77c90f34
STACK_COMMAND: kb
FOLLOWUP_IP:
fwpkclnt!FwpsInjectTransportSendAsync0+220
8c119e9d ff75f4 push dword ptr [ebp-0Ch]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: fwpkclnt!FwpsInjectTransportSendAsync0+220
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: fwpkclnt
IMAGE_NAME: fwpkclnt.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4549b2f6
FAILURE_BUCKET_ID: 0xD1_fwpkclnt!FwpsInjectTransportSendAsync0+220
BUCKET_ID: 0xD1_fwpkclnt!FwpsInjectTransportSendAsync0+220
Followup: MachineOwner
---------
0: kd> lmvm fwpkclnt
start end module name
8c115000 8c12e000 fwpkclnt (pdb symbols)
c:\symbols\fwpkclnt.pdb\0CDD1AD5ACD047479C8FB2FAC02E87B01\fwpkclnt.pdb
Loaded symbol image file: fwpkclnt.sys
Mapped memory image file:
c:\symbols\fwpkclnt.sys\4549B2F619000\fwpkclnt.sys
Image path: fwpkclnt.sys
Image name: fwpkclnt.sys
Timestamp: Thu Nov 02 01:57:26 2006 (4549B2F6)
CheckSum: 0002402A
ImageSize: 00019000
File version: 6.0.6000.16386
Product version: 6.0.6000.16386
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: fwpkclnt.sys
OriginalFilename: fwpkclnt.sys
ProductVersion: 6.0.6000.16386
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
FileDescription: FWP/IPsec Kernel-Mode API
LegalCopyright: © Microsoft Corporation. All rights reserved.
=====================================
FOLLOWUP_IP:
fwpkclnt!FwpsInjectTransportSendAsync0+220
8c119e9d ff75f4 push dword ptr [ebp-0Ch]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: fwpkclnt!FwpsInjectTransportSendAsync0+220
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: fwpkclnt
IMAGE_NAME: fwpkclnt.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4549b2f6
FAILURE_BUCKET_ID: 0xD1_fwpkclnt!FwpsInjectTransportSendAsync0+220
BUCKET_ID: 0xD1_fwpkclnt!FwpsInjectTransportSendAsync0+220
Followup: MachineOwner
---------
weeks. I've done a minidump of the last crash and then used the debugging
tool, which indicated that the "probable cause" was fwpkclnt.sys, but I don't
know what to do about it.
I also did the "kd> !analyze -v" command; all the debugging results are below.
Thanks for any help.
Art
======================================
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\Mini030408-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is:
SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6000.16584.x86fre.vista_gdr.071023-1545
Kernel base = 0x81c00000 PsLoadedModuleList = 0x81d11e10
Debug session time: Tue Mar 4 20:02:27.027 2008 (GMT-8)
System Uptime: 1 days 12:15:25.727
Loading Kernel Symbols
............................................................................................................................................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 100000D1, {98, 2, 0, 8c175f5b}
Unable to load image vsdatant.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for vsdatant.sys
*** ERROR: Module load completed but symbols could not be loaded for
vsdatant.sys
Probably caused by : fwpkclnt.sys (
fwpkclnt!FwpsInjectTransportSendAsync0+220 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000098, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8c175f5b, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac
Unable to read MiSystemVaType memory at 81d117e0
00000098
CURRENT_IRQL: 2
FAULTING_IP:
tcpip!IppProcessRawData+3c
8c175f5b f6401801 test byte ptr [eax+18h],1
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: vsmon.exe
LAST_CONTROL_TRANSFER: from 8c196e50 to 8c175f5b
STACK_TEXT:
96c55904 8c196e50 8c1e29c8 96c55a8c 96c55980 tcpip!IppProcessRawData+0x3c
96c55a64 8c1c032f 00000000 00000007 8c1e29c8 tcpip!IppSendDatagramsCommon+0xbb
96c55afc 8c119e9d 00000000 00000007 86828408 tcpip!IppInspectInjectTlSend+0xd7
96c55b58 8c040dba 86fdd058 00000000 00001c97
fwpkclnt!FwpsInjectTransportSendAsync0+0x220
WARNING: Stack unwind information not available. Following frames may be
wrong.
96c55ba8 8c03e51e 8697a550 84230f80 84230f84 vsdatant+0x26dba
96c55bbc 8c04413e 021eee58 00000001 84230f80 vsdatant+0x2451e
96c55be0 8c0444f0 86760340 00000001 021eee58 vsdatant+0x2a13e
96c55c18 8c043413 86733098 84230f68 86733098 vsdatant+0x2a4f0
96c55c2c 81c27f83 86733098 84230f68 84230f68 vsdatant+0x29413
96c55c44 81d88f37 86760340 84230f68 84230fd8 nt!IofCallDriver+0x63
96c55c64 81d89efb 86733098 86760340 021eee00
nt!IopSynchronousServiceTail+0x1e0
96c55d00 81d8ee55 86733098 84230f68 00000000 nt!IopXxxControlFile+0x6b7
96c55d34 81c8caaa 00000274 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
96c55d34 77c90f34 00000274 00000000 00000000 nt!KiFastCallEntry+0x12a
021eedf0 00000000 00000000 00000000 00000000 0x77c90f34
STACK_COMMAND: kb
FOLLOWUP_IP:
fwpkclnt!FwpsInjectTransportSendAsync0+220
8c119e9d ff75f4 push dword ptr [ebp-0Ch]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: fwpkclnt!FwpsInjectTransportSendAsync0+220
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: fwpkclnt
IMAGE_NAME: fwpkclnt.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4549b2f6
FAILURE_BUCKET_ID: 0xD1_fwpkclnt!FwpsInjectTransportSendAsync0+220
BUCKET_ID: 0xD1_fwpkclnt!FwpsInjectTransportSendAsync0+220
Followup: MachineOwner
---------
0: kd> lmvm fwpkclnt
start end module name
8c115000 8c12e000 fwpkclnt (pdb symbols)
c:\symbols\fwpkclnt.pdb\0CDD1AD5ACD047479C8FB2FAC02E87B01\fwpkclnt.pdb
Loaded symbol image file: fwpkclnt.sys
Mapped memory image file:
c:\symbols\fwpkclnt.sys\4549B2F619000\fwpkclnt.sys
Image path: fwpkclnt.sys
Image name: fwpkclnt.sys
Timestamp: Thu Nov 02 01:57:26 2006 (4549B2F6)
CheckSum: 0002402A
ImageSize: 00019000
File version: 6.0.6000.16386
Product version: 6.0.6000.16386
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: fwpkclnt.sys
OriginalFilename: fwpkclnt.sys
ProductVersion: 6.0.6000.16386
FileVersion: 6.0.6000.16386 (vista_rtm.061101-2205)
FileDescription: FWP/IPsec Kernel-Mode API
LegalCopyright: © Microsoft Corporation. All rights reserved.
=====================================
FOLLOWUP_IP:
fwpkclnt!FwpsInjectTransportSendAsync0+220
8c119e9d ff75f4 push dword ptr [ebp-0Ch]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: fwpkclnt!FwpsInjectTransportSendAsync0+220
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: fwpkclnt
IMAGE_NAME: fwpkclnt.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4549b2f6
FAILURE_BUCKET_ID: 0xD1_fwpkclnt!FwpsInjectTransportSendAsync0+220
BUCKET_ID: 0xD1_fwpkclnt!FwpsInjectTransportSendAsync0+220
Followup: MachineOwner
---------