Blue screen DRIVER_IRQL_NOT_LESS_OR_EQUAL tcpip.sys

Hi,

The attached DMP file is of the DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) bug check.

This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.

A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses.

By default, the cause of all of the crashes is tcpip.sys which is the TCP/IP Protocol driver (not the true cause), and usually when we have network related crashes like this, it's caused by one of two things:

1. Network drivers themselves need to be updated.

2. 3rd party antivirus or firewall software causing NETBIOS conflicts.

--------------

1. Remove and replace avast! with Microsoft Security Essentials for temporary troubleshooting purposes:

avast! removal - http://www.avast.com/uninstall-utility

MSE -  http://windows.microsoft.com/en-us/windows/security-essentials-download

2. In your loaded drivers list, dtsoftbus01.sys is listed which is the Daemon Tools driver. Daemon Tools is a very popular cause of BSOD's in 7/8 based systems. Please uninstall Daemon Tools. Alternative imaging programs are: MagicISO, Power ISO, etc.

Regards,

Patrick

Thanks for the response.

I'm still seeing blue screens. It happens less often, but still occurs atleast once a day. 

Uninstall AVG Secure Search and enable Driver Verifier:


Driver Verifier:

What is Driver Verifier?

Driver Verifier is included in Windows 8, 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows 2000, Windows XP, and Windows Server 2003 to promote stability and reliability; you can use this tool to troubleshoot driver issues. Windows kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model (WDM) driver.

Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.

Before enabling Driver Verifier, it is recommended to create a System Restore Point:

Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

How to enable Driver Verifier:

Start > type "verifier" without the quotes > Select the following options -

1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (Windows 7 & 8)
- DDI compliance checking (Windows 8)
- Miscellaneous Checks
4. Select  - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is [B]NOT[/B] provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.

Important information regarding Driver Verifier:

- If Driver Verifier finds a violation, the system will BSOD.

- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will flag it, and as stated above, that will cause / force a BSOD.

If this happens, do not panic, do the following:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > Search > type "cmd" without the quotes.

- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
・    Restart and boot into normal Windows.

If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > type "system restore" without the quotes.

- Choose the restore point you created earlier.

How long should I keep Driver Verifier enabled for?

It varies, many experts and analysts have different recommendations. Personally, I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier.

My system BSOD'd, where can I find the crash dumps?

They will be located in %systemroot%\Minidump

Any other questions can most likely be answered by this article:
http://support.microsoft.com/kb/244617

Regards,

Patrick

Thanks, I removed AVG Secure Search manually. I did a search for "avg" and came up with one instance: avgtpx64.sys in C:/Windows/System32/drivers. Should I remove this? If so, how would I go about removing it?

Don't delete it outright, no, instead rename it from avgtpx64.sys to avgtpx64.old

In regards to the latest DMP's (thank you, by the way) they are all of the *D1 bug check as we've seen and are not faulting a non-Microsoft system file driver.

FAILURE_BUCKET_ID:  X64_0xD1_VRF_tcpip!TcpBeginTcbSend+33e

If we take a look at the FBID, we can see VRF = Verifier is enabled, but the 'culprit' is tcpip.sys (TCP/IP Protocol Driver).

Rename the AVG driver as discussed and we'll then go forward if the issues continue.

Regards,

Patrick

Should I keep the Drive Verifier running?

Yes, that would be great.

Regards,

Patrick

Just happened 3 times in a span of 5-10 minutes ...

Can you attach the dump files, please?

Regards,

Patrick