Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
andrey_s
Explorer

Possible reason for BSOD (Blue screen of death)

Hello! We have bsod problem on one of the virtual servers. And I thought maybe it's related to the Endpoint Security client installed on the server. If anybody faced the similar issue and have the fix or clue? Below the dump log. Thanks guys!

 


Microsoft (R) Windows Debugger Version 10.0.25111.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Source\021222-58046-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available


************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 8.1 Kernel Version 9600 MP (12 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Edition build lab: 9600.20237.amd64fre.winblue_ltsb_escrow.211215-1033
Machine Name:
Kernel base = 0xfffff802`92c8b000 PsLoadedModuleList = 0xfffff802`92f4e5f0
Debug session time: Sat Feb 12 14:59:54.479 2022 (UTC + 3:00)
System Uptime: 13 days 10:02:32.531
Loading Kernel Symbols
...............................................................
................................................................
..........................................
Loading User Symbols
Loading unloaded module list
......
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff802`92dca1c0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffd000`203fcbc0=000000000000001e
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common BugCheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff800eeae6529, The address that the exception occurred at
Arg3: ffffd000203fdbc8, Parameter 0 of the exception
Arg4: ffffd000203fd3e0, Parameter 1 of the exception

Debugging Details:
------------------

*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: ExceptionRecord ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: ContextRecord ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: ExceptionRecord ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: ContextRecord ***
*** ***
*************************************************************************
GetUlongPtrFromAddress: unable to read from fffff80292fd8308

KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 3156

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 10513

Key : Analysis.Init.CPU.mSec
Value: 890

Key : Analysis.Init.Elapsed.mSec
Value: 7605

Key : Analysis.Memory.CommitPeak.Mb
Value: 84

Key : WER.OS.Branch
Value: winblue_ltsb_escrow

Key : WER.OS.Timestamp
Value: 2021-12-15T10:33:00Z

Key : WER.OS.Version
Value: 8.1.9600.20237


FILE_IN_CAB: 021222-58046-01.dmp

VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: 1e

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff800eeae6529

BUGCHECK_P3: ffffd000203fdbc8

BUGCHECK_P4: ffffd000203fd3e0

EXCEPTION_PARAMETER1: ffffd000203fdbc8

EXCEPTION_PARAMETER2: ffffd000203fd3e0

WRITE_ADDRESS: GetUlongPtrFromAddress: unable to read from fffff80292fd82a8
GetUlongPtrFromAddress: unable to read from fffff80292fd8530
ffffd000203fd3e0

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

STACK_TEXT:
ffffd000`203fcbb8 fffff802`92e3d363 : 00000000`0000001e ffffffff`c0000005 fffff800`eeae6529 ffffd000`203fdbc8 : nt!KeBugCheckEx
ffffd000`203fcbc0 fffff802`92ddf836 : fffff800`f0acecc0 ffffe001`fc22ffaa ffffd000`203fcd30 ffffd000`203fcf70 : nt!KiFatalFilter+0x1f
ffffd000`203fcc00 fffff802`92db91c6 : ffffe001`fc22ffcc fffff800`f0b04880 00000000`00010001 00000000`00000801 : nt! ?? ::FNODOBFM::`string'+0x8e6
ffffd000`203fcc40 fffff802`92dd2d6d : 00000000`00000000 ffffd000`203fcde0 ffffd000`203fdbc8 ffffd000`203fcde0 : nt!_C_specific_handler+0x86
ffffd000`203fccb0 fffff802`92d15ba5 : 00000000`00000001 fffff802`92c8b000 ffffd000`203fdb00 00000000`00000000 : nt!RtlpExecuteHandlerForException+0xd
ffffd000`203fcce0 fffff802`92d63639 : ffffd000`203fdbc8 ffffd000`203fd8e0 ffffd000`203fdbc8 ffffe002`03a24ac0 : nt!RtlDispatchException+0x1a5
ffffd000`203fd3b0 fffff802`92dda542 : ffffe001`e509c040 ffffe001`d617f650 00000000`00000000 00000000`000005b4 : nt!KiDispatchException+0x18d
ffffd000`203fda90 fffff802`92dd756c : fffff780`00000008 ffffe001`d73ab1e0 00000000`000005b4 ffffe001`d6325480 : nt!KiExceptionDispatch+0xc2
ffffd000`203fdc70 fffff800`eeae6529 : 00020dc0`bc0c0000 00000000`00000155 ffffe001`d5975270 ffffd000`203fde70 : nt!KiGeneralProtectionFault+0x2ec
ffffd000`203fde00 fffff800`eead7ea6 : 00000000`00000000 00000000`00000000 ffffd000`203fdec8 00000000`00000000 : NDIS!NdisFReturnNetBufferLists+0x199
ffffd000`203fde80 fffff800`eead80fd : 00000000`00000002 00000000`00000001 00000000`00000001 00000000`00000003 : NDIS!ndisInvokeNextReceiveCompleteHandler+0x146
ffffd000`203fdf10 fffff800`eead81c2 : ffffe001`d69b71a0 00000000`00000001 ffffe002`03a24ac0 ffffe001`d79818c0 : NDIS!ndisReturnNetBufferListsInternal+0x12d
ffffd000`203fdf70 fffff800`efc82376 : ffffe001`eae47ae0 00000000`00000001 00000000`00000000 00000000`00000000 : NDIS!NdisReturnNetBufferLists+0x72
ffffd000`203fdfd0 fffff800`eea01193 : 00000000`00000000 fffff800`00000004 00000000`00000004 00000000`00000000 : tcpip+0x6b376
ffffd000`203fe020 fffff800`efd4d533 : 346dc5d6`3886594b ffffe001`d73ab101 ffffe001`d7982010 ffffe002`03a24ac0 : NETIO!NetioDereferenceNetBufferListChain+0xd3
ffffd000`203fe0c0 fffff800`efc7fe9b : 00000000`d427bc46 00000000`0000bc46 0624bc0c`00000000 00000000`00000000 : tcpip+0x136533
ffffd000`203fe0f0 fffff800`efc5a86c : ffffdff0`00000003 00000000`06e90826 00000000`00000000 00000000`00000000 : tcpip+0x68e9b
ffffd000`203fe190 fffff800`efc8a80a : ffffe001`d5d90480 ffffd000`203fe408 ffffd000`203f0dc0 00000000`00000006 : tcpip+0x4386c
ffffd000`203fe290 fffff800`efc8630b : ffffd640`d5b195db 00000000`0000e6a4 0000b022`00000640 00000000`00000001 : tcpip+0x7380a
ffffd000`203fe350 fffff800`efc84762 : 00000000`00000000 ffffd000`203fe469 00000000`00000006 0000e664`0000a8c0 : tcpip+0x6f30b
ffffd000`203fe3b0 fffff800`efc82b40 : ffffe001`f750bc70 ffffe001`eae47980 ffffe001`d5d51000 ffffe001`d5d51000 : tcpip+0x6d762
ffffd000`203fe4d0 fffff800`efc81862 : ffffe001`d797fc20 00000000`00000000 ffffd000`203fe801 00000000`00000000 : tcpip+0x6bb40
ffffd000`203fe850 fffff800`efc82285 : ffffe001`d7980002 00000000`00000000 fffff800`efc822d0 00000000`00000101 : tcpip+0x6a862
ffffd000`203fe930 fffff802`92d12e09 : 00000000`00000000 ffffe001`d5d9f8a0 ffffe001`d5a44e10 ffffd000`203f0580 : tcpip+0x6b285
ffffd000`203fea60 fffff800`efc82476 : fffff800`efc82130 ffffd000`203feb70 00000000`00000000 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0x2d9
ffffd000`203feb40 fffff800`eead6a53 : 00000000`00000000 ffffd000`203fec21 00000000`00000004 00000000`06e90700 : tcpip+0x6b476
ffffd000`203febc0 fffff800`eead6e7f : 00000000`00000001 fffff800`f0aa0008 ffffe001`00000000 00000000`00000004 : NDIS!ndisMIndicateNetBufferListsToOpen+0x123
ffffd000`203fec80 fffff800`eead76b2 : ffffe001`d69b71a0 fffff800`eeae3501 fffff800`eeae3560 ffffe001`fc22fc70 : NDIS!ndisMTopReceiveNetBufferLists+0x22f
ffffd000`203fed10 fffff800`f0d87d56 : 00000000`00000001 ffffd000`000005dc ffffe001`000001ff 00000000`00000040 : NDIS!NdisMIndicateReceiveNetBufferLists+0x732
ffffd000`203fef00 00000000`00000001 : ffffd000`000005dc ffffe001`000001ff 00000000`00000040 ffffd000`00000301 : vmxnet3+0xcd56
ffffd000`203fef08 ffffd000`000005dc : ffffe001`000001ff 00000000`00000040 ffffd000`00000301 ffffd000`203fef88 : 0x1
ffffd000`203fef10 ffffe001`000001ff : 00000000`00000040 ffffd000`00000301 ffffd000`203fef88 ffffd000`203fef74 : 0xffffd000`000005dc
ffffd000`203fef18 00000000`00000040 : ffffd000`00000301 ffffd000`203fef88 ffffd000`203fef74 00000000`00000000 : 0xffffe001`000001ff
ffffd000`203fef20 ffffd000`00000301 : ffffd000`203fef88 ffffd000`203fef74 00000000`00000000 ffffe001`fc220001 : 0x40
ffffd000`203fef28 ffffd000`203fef88 : ffffd000`203fef74 00000000`00000000 ffffe001`fc220001 00000000`00000028 : 0xffffd000`00000301
ffffd000`203fef30 ffffd000`203fef74 : 00000000`00000000 ffffe001`fc220001 00000000`00000028 00000001`00000000 : 0xffffd000`203fef88
ffffd000`203fef38 00000000`00000000 : ffffe001`fc220001 00000000`00000028 00000001`00000000 00000030`00000040 : 0xffffd000`203fef74


SYMBOL_NAME: NETIO!NetioDereferenceNetBufferListChain+d3

MODULE_NAME: NETIO

IMAGE_NAME: NETIO.SYS

IMAGE_VERSION: 6.3.9600.19535

STACK_COMMAND: .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET: d3

FAILURE_BUCKET_ID: AV_NETIO!NetioDereferenceNetBufferListChain

OS_VERSION: 8.1.9600.20237

BUILDLAB_STR: winblue_ltsb_escrow

OSPLATFORM_TYPE: x64

OSNAME: Windows 8.1

FAILURE_ID_HASH: {b14cf127-5933-4e45-71a8-f23e2243d43b}

Followup: MachineOwner
---------

3: kd> lmvm NETIO
Browse full module list
start end module name
fffff800`eea00000 fffff800`eea77000 NETIO (pdb symbols) C:\ProgramData\Dbg\sym\netio.pdb\D96A9FA2591E4510BA7B74EEE9A606D82\netio.pdb
Loaded symbol image file: NETIO.SYS
Mapped memory image file: C:\ProgramData\Dbg\sym\NETIO.SYS\5D9DE44D77000\NETIO.SYS
Image path: \SystemRoot\system32\DRIVERS\NETIO.SYS
Image name: NETIO.SYS
Browse all global symbols functions data
Timestamp: Wed Oct 9 16:44:45 2019 (5D9DE44D)
CheckSum: 0007D8A3
ImageSize: 00077000
File version: 6.3.9600.19535
Product version: 6.3.9600.19535
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.6 Driver
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: netio.sys
OriginalFilename: netio.sys
ProductVersion: 6.3.9600.19535
FileVersion: 6.3.9600.19535 (winblue_ltsb.191009-0600)
FileDescription: Network I/O Subsystem
LegalCopyright: © Microsoft Corporation. All rights reserved.

 

0 Kudos
2 Replies
martasfly
Explorer

Hi andrey_s, did you find what the issue is in your case? I am having exactly the same problem on four Windows 2019 servers datacenter version. I uninstalled the Checkpoint on one of them, so will see.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Which version of the Endpoint client is used, and are you investigating the issue with help from TAC?

Is it a VMware virtual machine with up to date drivers installed?

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events