Question
349 views

Windows 7 Blue Screen

zaloulen asked on

Hi,

I met this problem during the restart or the sleeping of my pc

Here is the detail of the problem

-----------------------------------------------------------------

Signature du problème :
  Nom d’événement de problème: BlueScreen
  Version du système: 6.1.7601.2.1.0.256.1
  Identificateur de paramètres régionaux: 1036

Informations supplémentaires sur le problème :
  BCCode: 1000009f
  BCP1: 0000000000000004
  BCP2: 0000000000000258
  BCP3: FFFFFA800357C040
  BCP4: FFFFF8000401E510
  OS Version: 6_1_7601
  Service Pack: 1_0
  Product: 256_1

Fichiers aidant à décrire le problème :
  C:\Windows\Minidump\030314-18376-01.dmp
  C:\Users\ALOULEN\AppData\Local\Temp\WER-57829-0.sysdata.xml

-----------------------------------------

Here is the minidump file 

https://onedrive.live.com/redir?resid=B60005D87E8D523%21121

1 person had this question

Abuse history


The answered status icon Answer
Patrick Barker replied on

You're a star, thank you for the MEMORY.DMP!


As said above, it's the same bug check *9F with an 0x4 1st parameter.


0: kd> .bugcheck
Bugcheck code 0000009F
Arguments 00000000`00000004 00000000`00000258 fffffa80`0357c040 fffff800`0401e510


If we take a look at the call stack:


0: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff800`0401e4d8 fffff800`02b607e6 : 00000000`0000009f 00000000`00000004 00000000`00000258 fffffa80`0357c040 : nt!KeBugCheckEx
fffff800`0401e4e0 fffff800`02d1134c : fffff800`00000000 fffff800`00000000 00000000`00000200 fffff800`02ad422a : nt!PnpBugcheckPowerTimeout+0x76
fffff800`0401e540 fffff800`02ad985c : 00000000`00000000 fffff880`06731cb0 00000002`40f92a00 00000000`00000005 : nt!PopBuildDeviceNotifyListWatchdog+0x1c
fffff800`0401e570 fffff800`02ad96f6 : fffffa80`060a3688 fffffa80`060a3688 00000000`00000000 00000000`00000000 : nt!KiProcessTimerDpcTable+0x6c
fffff800`0401e5e0 fffff800`02ad95de : 00000016`9cf591f1 fffff800`0401ec58 00000000`00097ff0 fffff800`02c4e088 : nt!KiProcessExpiredTimerList+0xc6
fffff800`0401ec30 fffff800`02ad93c7 : 00000004`b33059c2 00000004`00097ff0 00000004`b33059f6 00000000`000000f0 : nt!KiTimerExpiration+0x1be
fffff800`0401ecd0 fffff800`02ac68ca : fffff800`02c49e80 fffff800`02c57cc0 00000000`00000001 fffff880`00000000 : nt!KiRetireDpcList+0x277
fffff800`0401ed80 00000000`00000000 : fffff800`0401f000 fffff800`04019000 fffff800`0401ed40 00000000`00000000 : nt!KiIdleLoop+0x5a


Not really much info, just a few PnP routines that call into the bugcheck eventually. No driver in the stack, etc.

Let's run !locks to see what's going on:


0: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks..

Resource @ nt!IopDeviceTreeLock (0xfffff80002cd2ce0)    Shared 1 owning threads
     Threads: fffffa800357c040-01<*>
KD: Scanning for held locks.

Resource @ nt!PiEngineLock (0xfffff80002cd2be0)    Exclusively owned
    Contention Count = 12
    NumberOfExclusiveWaiters = 1
     Threads: fffffa800357c040-01<*>
     Threads Waiting On Exclusive Access:
              fffffa800357fb50  


Great, we have a thread address now! Let's check it out:


0: kd> !thread fffffa800357c040
THREAD fffffa800357c040  Cid 0004.0040  Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (Executive) KernelMode Non-Alertable
    fffff880031c43a0  NotificationEvent
IRP List:
    fffffa8005a06bb0: (0006,01f0) Flags: 00000000  Mdl: 00000000
Not impersonating
DeviceMap                 fffff8a000008ca0
Owning Process            fffffa8003566040       Image:         System
Attached Process          N/A            Image:         N/A
Wait Start TickCount      584115         Ticks: 38461 (0:00:09:59.995)
Context Switch Count      25688          IdealProcessor: 1  NoStackSwap
UserTime                  00:00:00.000
KernelTime                00:00:02.106
Win32 Start Address nt!ExpWorkerThread (0xfffff80002ad8150)
Stack Init fffff880031c4db0 Current fffff880031c4090
Base fffff880031c5000 Limit fffff880031bf000 Call 0
Priority 15 BasePriority 12 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`031c40d0 fffff800`02ac45f2 : fffffa80`0357c040 fffffa80`0357c040 00000000`00000000 00000000`0000000c : nt!KiSwapContext+0x7a
fffff880`031c4210 fffff800`02ad599f : 00000000`00000000 fffff880`01500992 00000000`00000000 fffff880`00000000 : nt!KiCommitThreadWait+0x1d2
fffff880`031c42a0 fffff880`01531d83 : ffffffff`fffe7900 fffffa80`00000000 00000000`00000000 fffffa80`03797800 : nt!KeWaitForSingleObject+0x19f
fffff880`031c4340 fffff880`0150f0af : fffffa80`037978c0 fffff880`01558110 fffffa80`037978c0 00000000`00000001 : ndis!ndisPauseFilter+0x203
fffff880`031c43d0 fffff880`015ae8ef : fffffa80`036b7cd0 00000000`00000000 00000000`00000008 fffffa80`0600ff00 : ndis! ?? ::FNODOBFM::`string'+0x30ed
fffff880`031c4400 fffff880`015afc2b : 00000000`00000001 fffffa80`036b01a0 fffffa80`036b7cd0 fffffa80`036b0050 : ndis!ndisCloseMiniportBindings+0x11f
fffff880`031c4510 fffff880`01546e6a : fffffa80`036b01a0 fffffa80`036b01a0 fffffa80`05a06bb0 fffff880`014f4300 : ndis!ndisPnPRemoveDevice+0x25b
fffff880`031c46b0 fffff880`015a35b2 : 00000000`00000000 fffffa80`036b01a0 fffffa80`05a06bb0 00000000`00000002 : ndis!ndisPnPRemoveDeviceEx+0xca
fffff880`031c4710 fffff800`02d3b121 : fffff8a0`09146650 fffffa80`036b0050 00000000`c00000bb 00000000`00000000 : ndis! ?? ::LNCPHCLB::`string'+0x7363
fffff880`031c47b0 fffff800`02ebb3a1 : fffffa80`03694580 00000000`00000000 fffffa80`0376c900 00000000`00000801 : nt!IopSynchronousCall+0xe1
fffff880`031c4820 fffff800`02bd1063 : fffff8a0`0ac87d80 fffff8a0`0ac87d80 00000000`00000018 00000000`00000000 : nt!IopRemoveDevice+0x101
fffff880`031c48e0 fffff800`02ebaef4 : fffffa80`0376c900 00000000`00000000 00000000`00000002 00000000`00000000 : nt!PnpRemoveLockedDeviceNode+0x1a3
fffff880`031c4930 fffff800`02ebb000 : 00000000`00000000 fffffa80`03694500 fffff8a0`09e5d9e0 fffff800`02cd2ae0 : nt!PnpDeleteLockedDeviceNode+0x44
fffff880`031c4960 fffff800`02ebb0f9 : fffffa80`04cc2c02 fffffa80`04cc2c70 00000000`00000001 00000000`00000000 : nt!PnpDeleteLockedDeviceNodes+0xa0
fffff880`031c49d0 fffff800`02ebb271 : fffffa80`04cc2c70 00000000`00000000 fffffa80`04cc2c70 00000000`00000001 : nt!PnpDelayedRemoveWorker+0x79
fffff880`031c4a20 fffff800`02bd129a : 00000000`00000000 fffffa80`05d03400 00000000`0000000a 00000000`00000000 : nt!PnpChainDereferenceComplete+0x131
fffff880`031c4a60 fffff800`02f4c2a0 : 00000000`00000000 fffffa80`0376c900 fffff8a0`02eed6a0 00000000`00000001 : nt!PnpIsChainDereferenced+0xda
fffff880`031c4ae0 fffff800`02f4c53c : fffff880`031c4cb8 00000000`00000000 fffff8a0`09163000 fffffa80`00000000 : nt!PnpProcessQueryRemoveAndEject+0xff0
fffff880`031c4c20 fffff800`02e3573e : 00000000`00000000 fffffa80`047d9a20 fffff8a0`02eed6a0 00000000`00000001 : nt!PnpProcessTargetDeviceEvent+0x4c
fffff880`031c4c50 fffff800`02ad8261 : fffff800`02d39f88 fffff8a0`02eed6a0 fffff800`02c742d8 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x54d9b
fffff880`031c4cb0 fffff800`02d6b2ea : 00000000`00000000 fffffa80`0357c040 00000000`00000080 fffffa80`03566040 : nt!ExpWorkerThread+0x111
fffff880`031c4d40 fffff800`02abf8e6 : fffff880`02fd3180 fffffa80`0357c040 fffff880`02fddfc0 ffffffff`e6fffffe : nt!PspSystemThreadStartup+0x5a
fffff880`031c4d80 00000000`00000000 : fffff880`031c5000 fffff880`031bf000 fffff880`031c4030 00000000`00000000 : nt!KxStartSystemThread+0x16


Now here's where we have some more info, and a much better stack. We can see a few ndis.sys routines being called (Network Driver Interface Specification driver). The Network Driver Interface Specification (NDIS) is an application programming interface (API) for network interface cards (NICs). The NDIS forms the Logical Link Control (LLC) sublayer, which is the upper sublayer of the OSI data link layer (layer 2). Therefore, the NDIS acts as the interface between the Media Access Control (MAC) sublayer, which is the lower sublayer of the data link layer, and the network layer (layer 3). 

The NDIS is a library of functions often referred to as a "wrapper" that hides the underlying complexity of the NIC hardware and serves as a standard interface for level 3 network protocol drivers and hardware level MAC drivers. Another common LLC is the Open Data-Link Interface (ODI).


Let's go ahead and take a look at the current IRP within the thread:


0: kd> !irp fffffa8005a06bb0 7
Irp is active with 2 stacks 2 is current (= 0xfffffa8005a06cc8)
 No Mdl: No System Buffer: Thread fffffa800357c040:  Irp stack trace.  
Flags = 00000000
ThreadListEntry.Flink = fffffa800357c430
ThreadListEntry.Blink = fffffa800357c430
IoStatus.Status = c00000bb
IoStatus.Information = 00000000
RequestorMode = 00000000
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = fffff880031c47e0
UserEvent = fffff880031c47f0
Overlay.AsynchronousParameters.UserApcRoutine = 00000000
Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000
CancelRoutine = 00000000   
UserBuffer = 00000000
&Tail.Overlay.DeviceQueueEntry = fffffa8005a06c28
Tail.Overlay.Thread = fffffa800357c040
Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000
Tail.Overlay.ListEntry.Blink = 00000000
Tail.Overlay.CurrentStackLocation = fffffa8005a06cc8
Tail.Overlay.OriginalFileObject = 00000000
Tail.Apc = 00000000
Tail.CompletionKey = 00000000
     cmd  flg cl Device   File     Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000    

            Args: 00000000 00000000 00000000 00000000
>[ 1b, 2]   0  0 fffffa80036b0050 00000000 00000000-00000000    
          *** ERROR: Module load completed but symbols could not be loaded for ew_jucdcecm.sys
 \Driver\huawei_cdcecm
            Args: 00000000 00000000 00000000 00000000


Ah, here we go... a driver!

ew_jucdcecm.sys = HUAWEI Mobile Connect driver (Bus Enumerate Device).

Let's now go ahead and run !devstack on the hightlighted address for ew_jucdcecm.sys:

0: kd> !devstack fffffa80036b0050
  !DevObj   !DrvObj            !DevExt   ObjectName
> fffffa80036b0050  \Driver\huawei_cdcecmfffffa80036b01a0  NDMP19
  fffffa8003694580  \Driver\huawei_enumeratorfffffa8003694390  00000086
!DevNode fffffa800376c900 :
  DeviceInst is "usbcdcncm\Vid_12D1&Subclass_02&Prot_16\7&2fa1189a&0&0001_00"
  ServiceName is "huawei_cdcecm"

---------------------

There are two things possible here:

1. Update the driver itself - http://consumer.huawei.com/en/support/downloads/index.htm

2. ESET may be causing NETBIOS conflicts, which is in turn causing crashes. With this said, please remove and replace ESET with MSE for temporary troubleshooting purposes:

ESET removal - http://kb.eset.com/esetkb/index?page=content&id=SOLN2788

MSE -  http://windows.microsoft.com/en-us/windows/security-essentials-download

3. In your loaded drivers list, dtsoftbus01.sys is listed which is the Daemon Tools driver. Daemon Tools is a very popular cause of BSOD's in 7/8 based systems. Please uninstall Daemon Tools. Alternative imaging programs are: MagicISO, Power ISO, etc.

Regards,

Patrick

Debugger/Reverse Engineer.
2 people found this helpful

Abuse history


progress