Question
Applies to
449 views
Getting multiple BSoD since upgrading to Win 8.1
So since updating to Windows 8.1 from 8.0 and I am getting multiple Blue Screen of Death. I don't know the reason and couldn't revert back to Win 8.0
Hopefully someone can inspect the dump files in this repo https://www.dropbox.com/sh/camxh3q2uc89vfa/77rk29PbFe .
Thanks,
Abuse history
Answer
Hi,
Both attached DMP files are of the DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) bugcheck.
This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.
A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses.
If we take a look at the call stack:
1: kd> kv
ChildEBP RetAddr Args to Child
826a16b0 81926ca3 0000000a 00000004 00000002 nt!KiBugCheck2
826a16b0 8210f9c4 0000000a 00000004 00000002 nt!KiTrap0E+0x1cf (FPO: [0,0] TrapFrame @ 826a1758)
826a180c 8210f2cd c87d9db0 826a1a28 826a18b4 NETIO!StreamInvokeCalloutAndNormalizeAction+0x38 (FPO: [Non-Fpo])
826a1834 8210f8b6 c87d9db0 826a1a28 00000000 NETIO!StreamCalloutProcessData+0x2f (FPO: [Non-Fpo])
826a1870 8210fe90 c87d9db0 826a1a28 00000001 NETIO!StreamCalloutProcessingLoop+0xc3 (FPO: [Non-Fpo])
826a18e8 82102bbe 00000001 c865afb8 cdcdf0e0 NETIO!StreamProcessCallout+0x1c6 (FPO: [10,21,4])
826a1988 820fdfc4 cdcdf0e0 826a1c84 826a1afc NETIO!ProcessCallout+0x5c0 (FPO: [8,25,4])
826a1a58 820fd021 cdcdf0e0 826a1b38 826a1c84 NETIO!ArbitrateAndEnforce+0x310 (FPO: [Non-Fpo])
826a1c40 82137935 00000014 c865afb8 cdcdf0e0 NETIO!KfdClassify+0x377 (FPO: [6,111,4])
826a1cec 82137543 c865afb8 cdcdf0e0 c7898df8 NETIO!StreamInternalClassify+0xc2 (FPO: [9,31,4])
826a1d50 8213568e 88afde30 88afde30 0000012e NETIO!StreamInject+0x191 (FPO: [5,11,4])
826a1d88 82189285 0001ddd2 00000000 0000013f NETIO!FwppStreamInject+0xec (FPO: [Non-Fpo])
826a1dc4 ae7554ef 87bf51d8 00000000 00000000 fwpkclnt!FwpsStreamInjectAsync0+0xd4 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
826a1e0c ae755685 84dfca28 826a1ed0 8183ea16 FortiWF2+0x24ef
826a1e18 8183ea16 84dfca28 00000000 84dfca28 FortiWF2+0x2685
826a1ed0 8183e626 826a1f18 00000000 00000103 nt!KiExecuteAllDpcs+0x216 (FPO: [Non-Fpo])
826a1ff4 819278ce a51a3b50 00000000 00000000 nt!KiRetireDpcList+0xf6 (FPO: [0,65,4])
826a1ff8 a51a3b50 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2e (FPO: [Uses EBP] [0,0,1])
819278ce 00000000 00000023 011b850f bb830000 0xa51a3b50
We can see two FortiWF2.sys (FortiClient Web Filter Driver) calls which then lead into various NETIO.sys (Network I/O Subsystem) calls before reaching the bugcheck itself. Overall, what this implies is that FortiClient is causing network related conflicts. See if an 8.1 update is available first, and if not, remove FortiClient ASAP.
Regards,
Patrick
Both attached DMP files are of the DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) bugcheck.
This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.
A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses.
If we take a look at the call stack:
1: kd> kv
ChildEBP RetAddr Args to Child
826a16b0 81926ca3 0000000a 00000004 00000002 nt!KiBugCheck2
826a16b0 8210f9c4 0000000a 00000004 00000002 nt!KiTrap0E+0x1cf (FPO: [0,0] TrapFrame @ 826a1758)
826a180c 8210f2cd c87d9db0 826a1a28 826a18b4 NETIO!StreamInvokeCalloutAndNormalizeAction+0x38 (FPO: [Non-Fpo])
826a1834 8210f8b6 c87d9db0 826a1a28 00000000 NETIO!StreamCalloutProcessData+0x2f (FPO: [Non-Fpo])
826a1870 8210fe90 c87d9db0 826a1a28 00000001 NETIO!StreamCalloutProcessingLoop+0xc3 (FPO: [Non-Fpo])
826a18e8 82102bbe 00000001 c865afb8 cdcdf0e0 NETIO!StreamProcessCallout+0x1c6 (FPO: [10,21,4])
826a1988 820fdfc4 cdcdf0e0 826a1c84 826a1afc NETIO!ProcessCallout+0x5c0 (FPO: [8,25,4])
826a1a58 820fd021 cdcdf0e0 826a1b38 826a1c84 NETIO!ArbitrateAndEnforce+0x310 (FPO: [Non-Fpo])
826a1c40 82137935 00000014 c865afb8 cdcdf0e0 NETIO!KfdClassify+0x377 (FPO: [6,111,4])
826a1cec 82137543 c865afb8 cdcdf0e0 c7898df8 NETIO!StreamInternalClassify+0xc2 (FPO: [9,31,4])
826a1d50 8213568e 88afde30 88afde30 0000012e NETIO!StreamInject+0x191 (FPO: [5,11,4])
826a1d88 82189285 0001ddd2 00000000 0000013f NETIO!FwppStreamInject+0xec (FPO: [Non-Fpo])
826a1dc4 ae7554ef 87bf51d8 00000000 00000000 fwpkclnt!FwpsStreamInjectAsync0+0xd4 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
826a1e0c ae755685 84dfca28 826a1ed0 8183ea16 FortiWF2+0x24ef
826a1e18 8183ea16 84dfca28 00000000 84dfca28 FortiWF2+0x2685
826a1ed0 8183e626 826a1f18 00000000 00000103 nt!KiExecuteAllDpcs+0x216 (FPO: [Non-Fpo])
826a1ff4 819278ce a51a3b50 00000000 00000000 nt!KiRetireDpcList+0xf6 (FPO: [0,65,4])
826a1ff8 a51a3b50 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2e (FPO: [Uses EBP] [0,0,1])
819278ce 00000000 00000023 011b850f bb830000 0xa51a3b50
We can see two FortiWF2.sys (FortiClient Web Filter Driver) calls which then lead into various NETIO.sys (Network I/O Subsystem) calls before reaching the bugcheck itself. Overall, what this implies is that FortiClient is causing network related conflicts. See if an 8.1 update is available first, and if not, remove FortiClient ASAP.
Regards,
Patrick
Debugger/Reverse Engineer.
Abuse history
