Question
Applies to
107 views

Blue Screen with IRQL_NOT_LESS_OR_EQUALin Windows 7

AllanTannenbaum asked on

After many blue death screens with this error message, Windows worked in Safe Mode, but crashes in Normal Mode. I uninstalled two questionable drivers to no avail. I uninstalled Norton 360 so now the machine tries to boot Windows but freezes. Hardware diagnostics are all OK except for a failed SMART test of the HDD. Here are the dump files:

https://www.dropbox.com/s/

I'm at my wit's end and cannot afford to waste more time with this, so please help!

1 person had this question

Abuse history


The answered status icon Answer
Patrick Barker replied on

Hi,

All of the attached DMP files are of the IRQL_NOT_LESS_OR_EQUAL (a) bug check.

This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.

This bug check is issued if paged memory (or invalid memory) is accessed when the IRQL is too high. The error that generates this bug check usually occurs after the installation of a faulty device driver, system service, or BIOS.

-------------------

By default, the fault of the crashes is NETIO.sys which is the Network I/O Subsystem. This is not the true cause of the crash, and usually when we have network related crashes like this, it's caused by one of two things:

1. Network drivers themselves need to be updated.

2. 3rd party antivirus or firewall software causing NETBIOS conflicts.

Also, in some dumps, we even have Norton in the stack:

1: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`033cb228 fffff800`03093169 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
fffff880`033cb230 fffff800`03091de0 : 00000000`00000010 fffff880`033cb560 00000000`00000003 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff880`033cb370 fffff800`0309cc3f : fffff880`009eb180 fffff800`0309cd19 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x260 (TrapFrame @ fffff880`033cb370)
fffff880`033cb500 fffff880`017329c7 : 00000000`00000004 fffff880`033cb7e0 00000000`00008900 fffffa80`072d67c8 : nt!KeAcquireInStackQueuedSpinLockAtDpcLevel+0x4f
fffff880`033cb550 fffff880`018e505d : fffffa80`0987ebb0 fffffa80`07ebb620 fffff880`033cb7e0 00000000`00008900 : NETIO!WfpExpireEntryLru+0x17
fffff880`033cb5a0 fffff880`018ac787 : 00000000`00000004 fffff880`01700030 fffffa80`09873860 00000000`00000001 : tcpip!WfpAleCloseRemoteEndpointConnection+0x2d
fffff880`033cb5d0 fffff880`01924e2b : fffffa80`0987ebb0 fffffa80`099f038a 00000000`00000001 fffffa80`0987ebb0 : tcpip! ?? ::FNODOBFM::`string'+0x20f72
fffff880`033cb720 fffff880`019251b2 : fffff880`009eb180 fffffa80`099f02c0 fffffa80`07f5d280 00000000`00000001 : tcpip!WfpAleHandleSendCompletion+0xeb
fffff880`033cb840 fffff880`0192f682 : 00000000`00000000 00000000`00000001 00000000`00000000 fffffa80`07f708b8 : tcpip!WfpAlepAuthorizeSendCompletion+0x32
fffff880`033cb890 fffff880`01797af2 : 00000000`00000089 00000000`00000089 fffffa80`09be4f50 00000000`00000001 : tcpip!WfpAleCompleteOperation+0x162
fffff880`033cb930 fffff880`02e7242b : 00000000`00000000 00000000`00000000 fffffa80`09a78a00 00000000`00000030 : fwpkclnt!FwpsCompleteOperation0+0x1e
fffff880`033cb960 00000000`00000000 : 00000000`00000000 fffffa80`09a78a00 00000000`00000030 00000000`00000089 : SYMNETS+0x1e42b

You noted you removed it, but I still see quite a few remnants listed and loaded in the modules list. Please run the removal tool:


Norton removal - https://support.norton.com/sp/en/us/home/current/solutions/kb20080710133834EN_EndUserProfile_en_us;jsessionid=841A6D40BA6872C47697C6C6B19C8E11.4?entsrc=redirect_pubweb&pvid=f-home

Regards,

Patrick

Debugger/Reverse Engineer.
1 person found this helpful

Abuse history


The answered status icon Answer
Patrick Barker replied on

My pleasure!

If and when you are comfortable and feel your issue has been solved, I'd recommend marking any posts of mine that answered your question as answered so this thread no longer shows up as requiring an answer.

------------------

Nope, they were likely false positives. Don't worry about it unless you start seeing actual problems that are leaning towards a faulty HDD.

If you'd like to be extra sure just for your own peace of mind, you can run Chkdsk + Seatools:

Chkdsk:
There are various ways to run Chkdsk~


Method 1:

Start > Search bar > Type cmd (right click run as admin to execute Elevated CMD)

Elevated CMD should now be opened, type the following:

chkdsk x: /r

x implies your drive letter, so if your hard drive in question is letter c, it would be:

chkdsk c: /r

Restart system and let chkdsk run.

Method 2:


    Open the "Computer" window
    Right-click on the drive in question
    Select the "Tools" tab
    In the Error-checking area, click <Check Now>.

If you'd like to get a log file that contains the chkdsk results, do the following:

Press Windows Key + R and type powershell.exe in the run box

Paste the following command and press enter afterwards:

get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message | out-file Desktop\CHKDSKResults.txt

This will output a .txt file on your Desktop containing the results of the chkdsk.

If chkdsk turns out okay, run Seatools -

http://www.seagate.com/support/downloads/seatools/

You can run it via Windows or DOS. Do note that the only difference is simply the environment you're running it in. In Windows, if you are having what you believe to be device driver related issues that may cause conflicts or false positive, it may be a wise decision to choose the most minimal testing environment (DOS).

Run all tests EXCEPT: Fix All and anything Advanced.

Regards,

Patrick

Debugger/Reverse Engineer.
1 person found this helpful

Abuse history


progress