Question
174 views

BSOD Week 2

Asktechman asked on
So im kind of new here I have dump files for the BSOD. I need some help.
1 person had this question

Abuse history


The answered status icon Answer
Patrick Barker replied on

Fantastic, thank you!

We have two bug checks:

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.

A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses.

0: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`07dff638 fffff800`03689169 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`07dff640 fffff800`03687de0 : 00000000`00000000 00000000`00000000 fffffa80`0651a810 fffffa80`05cfc610 : nt!KiBugCheckDispatch+0x69
fffff880`07dff780 fffff880`06c8b857 : fffffa80`05cfc610 fffffa80`05cfc610 00000000`00000000 fffff880`06cb5af2 : nt!KiPageFault+0x260 (TrapFrame @ fffff880`07dff780)
fffff880`07dff910 fffff880`06c8afc6 : fffffa80`0571eb00 fffffa80`05cfc610 ffff0000`0109db21 00000000`00000000 : rtl8192se+0x32857
fffff880`07dff990 fffff880`06cb5431 : fffffa80`00000000 fffffa80`0572f000 00000000`00000000 fffff880`043d8020 : rtl8192se+0x31fc6
fffff880`07dff9f0 fffff880`06cb3c3a : fffffa80`0572f000 fffffa80`0572f880 fffffa80`0572f000 00000000`00000000 : rtl8192se+0x5c431
fffff880`07dffcb0 fffff880`06d20410 : fffffa80`05878000 fffffa80`0586ef5e 00000000`00000080 fffffa80`05877ab0 : rtl8192se+0x5ac3a
fffff880`07dffd00 fffff800`039262ea : fffffa80`0571e630 00000000`00000080 fffffa80`03cfe040 fffffa80`0571e630 : rtl8192se+0xc7410
fffff880`07dffd40 fffff800`0367a8e6 : fffff880`02f63180 fffffa80`0571e630 fffff880`02f6df80 fffffa80`05628220 : nt!PspSystemThreadStartup+0x5a
fffff880`07dffd80 00000000`00000000 : fffff880`07e00000 fffff880`07dfa000 fffff880`07dffa10 00000000`00000000 : nt!KxStartSystemThread+0x16

0: kd> .trap fffff880`07dff780
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa8005d27690 rbx=0000000000000000 rcx=fffffa8005cfc610
rdx=fffffa800572f848 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88006c8b857 rsp=fffff88007dff910 rbp=0000000000000000
 r8=fffffa800572f000  r9=0000000000000000 r10=0000000000000000
r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
rtl8192se+0x32857:
fffff880`06c8b857 498b0e          mov     rcx,qword ptr [r14] ds:00000000`00000000=????????????????

0: kd> u @rip
rtl8192se+0x32857:
fffff880`06c8b857 498b0e          mov     rcx,qword ptr [r14]
fffff880`06c8b85a 4885c9          test    rcx,rcx
fffff880`06c8b85d 7406            je      rtl8192se+0x32865 (fffff880`06c8b865)
fffff880`06c8b85f ff15e3a70a00    call    qword ptr [rtl8192se+0xdd048 (fffff880`06d36048)]
fffff880`06c8b865 498bce          mov     rcx,r14
fffff880`06c8b868 ff15daa70a00    call    qword ptr [rtl8192se+0xdd048 (fffff880`06d36048)]
fffff880`06c8b86e 4d85e4          test    r12,r12
fffff880`06c8b871 7416            je      rtl8192se+0x32889 (fffff880`06c8b889)

^^ It looks like rtl8192se.sys (Realtek Wireless LAN 802.11n PCI-E NIC NT driver) jumps into a loop.

SYSTEM_SERVICE_EXCEPTION (3b)

This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.

This error has been linked to excessive paged pool usage and may occur due to user-mode graphics drivers crossing over and passing bad data to the kernel code.

BugCheck 3B, {c0000044, fffff800036b27fc, fffff8800d208290, 0}

0: kd> ln fffff800036b27fc
(fffff800`036b27e4)   nt!RtlRaiseStatus+0x18   |  (fffff800`03656020)   nt!MiRemoveWorkingSetPages

^^ The exception occurred in nt!RtlRaiseStatus.

-- EXCEPTION_CODE: (NTSTATUS) 0xc0000044 - Insufficient quota exists to complete the operation.

^^ This indicates a pool memory leak. A quota allocation attempt necessary for the system to continue operating normally was unsuccessful because of a program or driver memory leak. The driver causing the leak is likely rtl8192se.sys as seen in the above bug check.

--------------------

1. In your loaded drivers list, dtsoftbus01.sys is listed which is the Daemon Tools driver. Daemon Tools is a very popular cause of BSOD's in 7/8 based systems. Please uninstall Daemon Tools. Alternative imaging programs are: MagicISO, Power ISO, etc.


2. Uninstall InterVideo (example - http://www.intervideo.com/jsp/Product_Support.jsp)

3. Visit Toshiba's website and update your Realtek drivers (specifically wireless) - http://support.toshiba.com/drivers

If not on Toshiba (which it should be), check Realtek's site - http://www.realtek.com.tw/downloads/downloadsView.aspx?Langid=1&PNid=21&PFid=48&Level=5&Conn=4&ProdID=230&DownTypeID=3&GetDown=false&Downloads=true#RTL8192SE

4. If you're crashing after all of the above steps, enable Driver Verifier:

Driver Verifier:

What is Driver Verifier?

Driver Verifier is included in Windows 8/8.1, 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows 2000, Windows XP, and Windows Server 2003 to promote stability and reliability; you can use this tool to troubleshoot driver issues. Windows kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model (WDM) driver.

Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.

Before enabling Driver Verifier, it is recommended to create a System Restore Point:

Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

How to enable Driver Verifier:

Start > type "verifier" without the quotes > Select the following options -

1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (Windows 7 & 8)
- DDI compliance checking (Windows 8)
- Miscellaneous Checks
4. Select  - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.

Important information regarding Driver Verifier:

- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled, it is monitoring all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.

- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.

If this happens, do not panic, do the following:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > Search > type "cmd" without the quotes.

- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
・    Restart and boot into normal Windows.

If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > type "system restore" without the quotes.

- Choose the restore point you created earlier.

-- Note that Safe Mode for Windows 8 is a bit different, and you may need to try different methods: 5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

How long should I keep Driver Verifier enabled for?

I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.

My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?

They will be located in %systemroot%\Minidump

Any other questions can most likely be answered by this article:
http://support.microsoft.com/kb/244617

Regards,

Patrick

Debugger/Reverse Engineer.
Be the first person to mark this helpful

Abuse history


progress