Question
Applies to
256 views

0xD1, 0x3B and 0xA bluescreens

Hoodlumdan asked on

My new PC has blue-screened on 3 separate occasions. I have downloaded and used WinDbg and researched a bit into the logs, but I'm no expert. Evidence points toward drivers, but all my drivers are updated. Could be overheating, my CPU has peaked at about 60c. Two of the crashes occurred when I was hosting a game server, the other when I was playing a fairly low load game and went AFK.


Possibly related is that twice when hosting my PC lost internet access; wireless was working fine on my phone, just my PC couldn't connect. Had to change my router's IP to fix it. I'm getting very stressed because I spent a lot on this new system, any help figuring out the cause would be much appreciated.


Specs:


Operating System
    Windows 7 Home Premium 64-bit SP1
CPU
    Intel Core i5 4570 @ 3.20GH
    Haswell 22nm Technology
RAM
    16.0GB Dual-Channel DDR3 @ 666MHz (9-9-9-24)
Motherboard
    MSI Z87-G45 GAMING (MS-7821) (SOCKET 0
Graphics
    VG248 (1920x1080@120Hz)
    2043 (1600x900@60Hz)
    2047MB NVIDIA GeForce GTX 770 (ASUStek Computer Inc)
Storage
    931GB Seagate ST1000DX001-1CM162 ATA Device (SATA)

Crash dump logs:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000010, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff88004278280, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS: GetPointerFromAddress: unable to read from fffff800030b7100
 0000000000000010

CURRENT_IRQL:  2

FAULTING_IP:
bflwfx64+4280
fffff880`04278280 4883631000      and     qword ptr [rbx+10h],0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  Steam.exe

TRAP_FRAME:  fffff8800b3b1080 -- (.trap 0xfffff8800b3b1080)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000286e08 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88004278280 rsp=fffff8800b3b1210 rbp=fffffa800f133701
 r8=00000000002f91a5  r9=0000000011ff0be8 r10=0000000000000001
r11=fffffa8011e3d460 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
bflwfx64+0x4280:
fffff880`04278280 4883631000      and     qword ptr [rbx+10h],0 ds:1278:00000000`00000010=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80002e7f169 to fffff80002e7fbc0

STACK_TEXT:  
fffff880`0b3b0f38 fffff800`02e7f169 : 00000000`0000000a 00000000`00000010 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
fffff880`0b3b0f40 fffff800`02e7dde0 : fffff880`0b3b10a0 fffff880`0b3b109c 00000001`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff880`0b3b1080 fffff880`04278280 : 00000000`00000000 fffff800`0300f588 fffffa80`0f1337a0 00000000`00000000 : nt!KiPageFault+0x260
fffff880`0b3b1210 00000000`00000000 : fffff800`0300f588 fffffa80`0f1337a0 00000000`00000000 fffffa80`0f133601 : bflwfx64+0x4280


STACK_COMMAND:  kb

FOLLOWUP_IP:
bflwfx64+4280
fffff880`04278280 4883631000      and     qword ptr [rbx+10h],0

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  bflwfx64+4280

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: bflwfx64

IMAGE_NAME:  bflwfx64.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  511bc788

FAILURE_BUCKET_ID:  X64_0xD1_bflwfx64+4280

BUCKET_ID:  X64_0xD1_bflwfx64+4280

--------------------------------------------------------------------------

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8000317488c, Address of the instruction which caused the bugcheck
Arg3: fffff8800b945ec0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!ObReferenceObjectByHandleWithTag+10c
fffff800`0317488c 0fb64518        movzx   eax,byte ptr [rbp+18h]

CONTEXT:  fffff8800b945ec0 -- (.cxr 0xfffff8800b945ec0)
rax=fffdfa800cc74031 rbx=fffff8a00ac085f0 rcx=fffdfa800cc74030
rdx=0000000000000002 rsi=fffff8a00b67b230 rdi=fffffa800ea5fa90
rip=fffff8000317488c rsp=fffff8800b9468a0 rbp=fffdfa800cc74030
 r8=fffff8a00b6d8000  r9=0000000000000010 r10=0000000000000000
r11=fffff8800b946a98 r12=0000000000000000 r13=000000000000097c
r14=0000000000000001 r15=fffffa800cfb3890
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
nt!ObReferenceObjectByHandleWithTag+0x10c:
fffff800`0317488c 0fb64518        movzx   eax,byte ptr [rbp+18h] ss:0018:fffdfa80`0cc74048=??
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  FlashPlayerPlu

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 0000000000000000 to fffff8000317488c

STACK_TEXT:  
fffff880`0b9468a0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ObReferenceObjectByHandleWithTag+0x10c


FOLLOWUP_IP:
nt!ObReferenceObjectByHandleWithTag+10c
fffff800`0317488c 0fb64518        movzx   eax,byte ptr [rbp+18h]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!ObReferenceObjectByHandleWithTag+10c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  521ea035

STACK_COMMAND:  .cxr 0xfffff8800b945ec0 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_nt!ObReferenceObjectByHandleWithTag+10c

BUCKET_ID:  X64_0x3B_nt!ObReferenceObjectByHandleWithTag+10c

--------------------------------------------------------------------------

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000049, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80002d72c9f, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS: GetPointerFromAddress: unable to read from fffff80002ef9100
 0000000000000049

CURRENT_IRQL:  2

FAULTING_IP:
nt!MiIdentifyPfn+26f
fffff800`02d72c9f f0410fba6e481f  lock bts dword ptr [r14+48h],1Fh

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  svchost.exe

TRAP_FRAME:  fffff880092ee3a0 -- (.trap 0xfffff880092ee3a0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000017 rbx=0000000000000000 rcx=0c00000000000030
rdx=00000000001d4e23 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002d72c9f rsp=fffff880092ee530 rbp=fffffa8011ce84a0
 r8=000000000017bba4  r9=0000000000000001 r10=0000000000000053
r11=0000058000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
nt!MiIdentifyPfn+0x26f:
fffff800`02d72c9f f0410fba6e481f  lock bts dword ptr [r14+48h],1Fh ds:00000000`00000048=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80002cc1169 to fffff80002cc1bc0

STACK_TEXT:  
fffff880`092ee258 fffff800`02cc1169 : 00000000`0000000a 00000000`00000049 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
fffff880`092ee260 fffff800`02cbfde0 : 00000000`42506650 00000000`00000000 00000000`00000000 2e000000`002cbe75 : nt!KiBugCheckDispatch+0x69
fffff880`092ee3a0 fffff800`02d72c9f : 00000000`001d65c2 fffffa80`123b7430 00000000`42506600 fffff800`02faca53 : nt!KiPageFault+0x260
fffff880`092ee530 fffff800`02d7394b : 00000000`00000000 00000000`00000004 fffffa80`123b7448 fffffa80`123b7000 : nt!MiIdentifyPfn+0x26f
fffff880`092ee5d0 fffff800`030d5c15 : fffffa80`123b7000 fffff880`092eeb60 fffff880`092ee6a8 00000000`00000000 : nt!MmQueryPfnList+0xbb
fffff880`092ee610 fffff800`03019678 : 00000000`00000006 00000000`00000000 fffffa80`123b7000 00000000`00000001 : nt!PfpPfnPrioRequest+0x115
fffff880`092ee660 fffff800`02fccb33 : 00000000`00000000 00000000`00000000 fffffa80`123b7000 fffff800`02e51501 : nt! ?? ::NNGAKEGL::`string'+0x42d3d
fffff880`092ee6f0 fffff800`02fcd3ad : 00000000`015ebbe8 00000000`02d500c0 00000000`015ebc40 00000000`00000000 : nt!ExpQuerySystemInformation+0x1193
fffff880`092eeaa0 fffff800`02cc0e53 : 00000000`02d4f680 fffff880`092eeb01 fffffa80`0d410300 00000000`00000000 : nt!NtQuerySystemInformation+0x4d
fffff880`092eeae0 00000000`77cb161a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`015ebb18 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77cb161a


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!MiIdentifyPfn+26f
fffff800`02d72c9f f0410fba6e481f  lock bts dword ptr [r14+48h],1Fh

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!MiIdentifyPfn+26f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP:  521ea035

IMAGE_NAME:  memory_corruption

FAILURE_BUCKET_ID:  X64_0xA_nt!MiIdentifyPfn+26f

BUCKET_ID:  X64_0xA_nt!MiIdentifyPfn+26f

1 person had this question

Abuse history


The answered status icon Answer
Patrick Barker replied on

Thanks very much for the kernel-dump!

It's of the DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) bug check.

This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.

A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses.

2: kd> .trap fffff880`0b3b1080
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000286e08 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88004278280 rsp=fffff8800b3b1210 rbp=fffffa800f133701
 r8=00000000002f91a5  r9=0000000011ff0be8 r10=0000000000000001
r11=fffffa8011e3d460 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
bflwfx64+0x4280:
fffff880`04278280 4883631000      and     qword ptr [rbx+10h],0 ds:00000000`00000010=????????????????

2: kd> knL
  *** Stack trace for last set context - .thread/.cxr resets it
 # Child-SP          RetAddr           Call Site
00 fffff880`0b3b1210 fffff880`04278114 bflwfx64+0x4280
01 fffff880`0b3b1250 fffff880`04278304 bflwfx64+0x4114
02 fffff880`0b3b1290 fffff880`04275356 bflwfx64+0x4304
03 fffff880`0b3b12d0 fffff880`0427bc04 bflwfx64+0x1356
04 fffff880`0b3b1320 fffff880`04276a6d bflwfx64+0x7c04
05 fffff880`0b3b1380 fffff880`014034d4 bflwfx64+0x2a6d
06 fffff880`0b3b13e0 fffff880`04120199 ndis!NdisFSendNetBufferLists+0x64
07 fffff880`0b3b1420 fffff880`01403419 pacer!PcFilterSendNetBufferLists+0x29
08 fffff880`0b3b1520 fffff880`014bf5d5 ndis!ndisSendNBLToFilter+0x69
09 fffff880`0b3b1580 fffff880`0165e5ae ndis!NdisSendNetBufferLists+0x85
0a fffff880`0b3b15e0 fffff880`0165c1a7 tcpip!IppFragmentPackets+0x39e
0b fffff880`0b3b1700 fffff880`0165dbd5 tcpip!IppDispatchSendPacketHelper+0x87
0c fffff880`0b3b17c0 fffff880`0165ce5e tcpip!IppPacketizeDatagrams+0x2d5
0d fffff880`0b3b18e0 fffff880`0165f77e tcpip!IppSendDatagramsCommon+0x87e
0e fffff880`0b3b1a80 fffff880`0163bef1 tcpip!IpNlpSendDatagrams+0x3e
0f fffff880`0b3b1ac0 fffff880`0163c14e tcpip!UdpSendMessagesOnPathCreation+0x6d1
10 fffff880`0b3b1e40 fffff880`0163c695 tcpip!UdpSendMessages+0x1ee
11 fffff880`0b3b2230 fffff800`02e8b878 tcpip!UdpTlProviderSendMessagesCalloutRoutine+0x15
12 fffff880`0b3b2260 fffff880`0163c728 nt!KeExpandKernelStackAndCalloutEx+0xd8
13 fffff880`0b3b2340 fffff880`04076e9e tcpip!UdpTlProviderSendMessages+0x78
14 fffff880`0b3b23c0 fffff880`04076ad3 afd!AfdTLFastDgramSend+0xbe
15 fffff880`0b3b2460 fffff880`0405a04c afd!AfdFastDatagramSend+0x2e3
16 fffff880`0b3b2560 fffff800`0319c113 afd!AfdFastIoDeviceControl+0x103c
17 fffff880`0b3b28d0 fffff800`0319cc06 nt!IopXxxControlFile+0x373
18 fffff880`0b3b2a00 fffff800`02e7ee53 nt!NtDeviceIoControlFile+0x56
19 fffff880`0b3b2a70 00000000`74cf2e09 nt!KiSystemServiceCopyEnd+0x13
1a 00000000`067eec58 00000000`00000000 0x74cf2e09

^^ Many different network routines (tcpip, ndis, etc). Eventually the routine in which NDIS sends net buffer lists calls into bflwfx64.sys, which is the Bigfoot Networks Bandwidth Control Wireless NDIS Light Weight Filter driver. After a few calls, we hit a pagefault.

----------------------

1. Remove and replace avast! with Microsoft Security Essentials for temporary troubleshooting purposes as it's very likely causing NETBIOS conflicts:

avast! removal - http://www.avast.com/uninstall-utility

MSE -  http://windows.microsoft.com/en-us/windows/security-essentials-download

2. Ensure your Bigfoot network drivers are up to date - http://www.bigfootnetworks.com/support/index.php?_m=downloads&_a=view

Regards,

Patrick

Debugger/Reverse Engineer.
Be the first person to mark this helpful

Abuse history


progress