Question

Q: BSOD Windows 7 Profesional 64bit (Wdf01000.sys)

Hi,

I'm having a BSOD on my windows7 which it occurred to me that it might have something to do with Wdf01000.sys. By having analyzed using windbg (see below), appreciate if someone could assist on which installation driver that might cause this problem. Thank you.

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000000000b8, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88000edb70e, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS:  00000000000000b8 

CURRENT_IRQL:  2

FAULTING_IP: 
Wdf01000!FxRequest::GetParameters+de
fffff880`00edb70e 488bb8b8000000  mov     rdi,qword ptr [rax+0B8h]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  System

TRAP_FRAME:  fffff80000b9c450 -- (.trap 0xfffff80000b9c450)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffff80000b9c718
rdx=fffff80000b9c710 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88000edb70e rsp=fffff80000b9c5e0 rbp=0000057ff5f196f8
 r8=0000000000000020  r9=0000000000000000 r10=0000000000000001
r11=fffffa800a09d8f0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
Wdf01000!FxRequest::GetParameters+0xde:
fffff880`00edb70e 488bb8b8000000  mov     rdi,qword ptr [rax+0B8h] ds:e520:00000000`000000b8=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800032cb129 to fffff800032cbb80

STACK_TEXT:  
fffff800`00b9c308 fffff800`032cb129 : 00000000`0000000a 00000000`000000b8 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff800`00b9c310 fffff800`032c9da0 : fffffa80`084c35f0 fffff800`032ac686 fffffa80`084307c0 fffffa80`0a0e6900 : nt!KiBugCheckDispatch+0x69
fffff800`00b9c450 fffff880`00edb70e : fffffa80`0848e520 fffff880`00f3de43 00000000`00000002 fffffa80`0a09d8f0 : nt!KiPageFault+0x260
fffff800`00b9c5e0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : Wdf01000!FxRequest::GetParameters+0xde


STACK_COMMAND:  kb

FOLLOWUP_IP: 
Wdf01000!FxRequest::GetParameters+de
fffff880`00edb70e 488bb8b8000000  mov     rdi,qword ptr [rax+0B8h]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  Wdf01000!FxRequest::GetParameters+de

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Wdf01000

IMAGE_NAME:  Wdf01000.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  51c51641

FAILURE_BUCKET_ID:  X64_0xD1_Wdf01000!FxRequest::GetParameters+de

BUCKET_ID:  X64_0xD1_Wdf01000!FxRequest::GetParameters+de

Answer

A:

Thanks!

We have two consistent bug checks:

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.

A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses.

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)

This indicates that a system thread generated an exception which the error handler did not catch.

BugCheck 1000007E, {ffffffffc0000005, fffff88000edba42, fffff8800be80308, fffff8800be7fb60}

^^ The 1st parameter of the bug check is 0xc0000005 which indicates an access violation occurred.

7: kd> .exr 0xfffff8800be80308
ExceptionAddress: fffff88000edba42 (Wdf01000!FxIoQueue::CancelForQueue+0x0000000000000252)
   ExceptionCode: c0000005 (Access violation)

^^ The violation occurred in Wdf01000!FxIoQueue::CancelForQueue.

We very likely have a driver causing conflicts and corruption here.

----------------

Uninstall Lumension Security + McAfee and replace with MSE ASAP as they are very likely causing conflicts.

McAfee removal - http://service.mcafee.com/FAQDocument.aspx?id=TS101331

MSE -  http://windows.microsoft.com/en-us/windows/security-essentials-download

Regards,

Patrick

Debugger/Reverse Engineer.

Did this solve your problem?

Sorry this didn't help.

 
Question Info
Views: 33,829 Last updated: May 22, 2018 Applies to: