Getting BSOD 0x7F - Windows 7 x86

D

Docfxit

Contributor
Joined
Feb 22, 2015
Posts
248
· OS - Windows 7
· x86 (32-bit)
· What was original installed OS on system? No.
· Is the OS an OEM version (came pre-installed on system)
· Age of system (hardware) 5/16/2013
· Age of OS installation - have you re-installed the OS? Yes 3/28/2011

· CPU
· Video Card Intel HAD Graphics 4000
· MotherBoard - (if NOT a laptop) Lenovo Model Mahobay North Bridge Intel ID0150 Revision 09 South Bridge Intel ID1E47 Revision 09
· Power Supply - brand & wattage (if laptop, skip this one) ?

· System Manufacturer Lenovo
· Exact model number (if laptop, check label on bottom) M92P

· Desktop

I have a web server running on this PC. I have a WAN monitor for the web server. For some unknown reason I get emails saying my web server is down in varying times of the day.

Thank you,

Docfxit
 

Attachments

Code: 
0: kd> .bugcheck
Bugcheck code 1000007F
Arguments 00000008 801e2000 00000000 00000000

Code: 
31 cfff4cb8 8d2c6f12 NETIO!ProcessNonBufferedCallout+0x23
32 cfff4d14 8d2c7b3e NETIO!ProcessCallout+0x184
33 cfff4d88 8d2c621f NETIO!ArbitrateAndEnforce+0xae
34 cfff4e98 8d4cea0f NETIO!KfdClassify+0x1c7
35 cfff50e0 8d4a4fae tcpip!WFPDatagramDataShimV4+0x3e0
36 cfff513c 8d4a3559 tcpip!WfpDatagramDataIndicate+0x67
37 cfff5290 8d49757d tcpip!ProcessALEForTransportPacket+0x4db
38 cfff533c 8d4972cb tcpip!ProcessAleForNonTcpIn+0x92
39 cfff55a0 8d4a3005 tcpip!WfpProcessInTransportStackIndication+0x636
3a cfff55f4 8d48e3e2 tcpip!InetInspectReceiveDatagram+0xf1
3b cfff56b4 8d4a48e8 tcpip!UdpBeginMessageIndication+0x54
3c cfff5700 8d48fd6b tcpip!UdpDeliverDatagrams+0x1d9
3d cfff5750 8d4a4544 tcpip!UdpReceiveDatagrams+0xb9
3e cfff5760 8d48e814 tcpip!UdpNlClientReceiveDatagrams+0x12
3f cfff578c 8d48e156 tcpip!IppDeliverListToProtocol+0x49
40 cfff57ac 8d48c518 tcpip!IppProcessDeliverList+0x2a
41 cfff5804 8d48dfff tcpip!IppReceiveHeaderBatch+0x1fb
42 cfff5898 8d49c515 tcpip!IpFlcReceivePackets+0xbe5
43 cfff5914 8d496a9d tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x746
44 cfff5948 832c0beb tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x11e
45 cfff59b0 8d496c0b nt!KeExpandKernelStackAndCalloutEx+0x132
46 cfff59ec 8d27518d tcpip!FlReceiveNetBufferListChain+0x7c
47 cfff5a24 8d263405 ndis!ndisMIndicateNetBufferListsToOpen+0x188
48 cfff5bb0 8d214d07 ndis!ndisMDispatchReceiveNetBufferLists+0x7c
49 cfff5be4 8d214dd9 ndis!ndisDoPeriodicReceivesIndication+0x125
4a cfff5c0c 8d2148e0 ndis!ndisPeriodicReceivesWorker+0x5b
4b cfff5c50 8344200f ndis!ndisReceiveWorkerThread+0x161
4c cfff5c90 832e8699 nt!PspSystemThreadStartup+0x9e
4d 00000000 00000000 nt!KiThreadStartup+0x19

From frame #4d and up, we have a ton of network related functions and calls (ndis, tcpip, network i/o subsystem, etc).

After the last frame, we head into calls from:

Code: 
0d cfff37b8 832b9ab7 nt!RtlSidHashLookup+0xaf
0e cfff37cc 832b9a6d nt!SepSidInTokenSidHash+0x40
0f cfff37e8 832b9870 nt!SepSidInToken+0x29
10 cfff3814 832b94b1 nt!SepNormalAccessCheck+0x6c
11 cfff38bc 832b926b nt!SepAccessCheck+0x1f9
12 cfff3924 832cf02d nt!SeAccessCheckWithHint+0x1f1
13 cfff3d58 8d2c76c1 nt!SeAccessCheckFromState+0xea
14 cfff3d9c 8d2c7614 NETIO!CompareSecurityContexts+0x48
15 cfff3dcc 8d2c66d8 NETIO!MatchValues+0x121
16 cfff3de8 8d2c6943 NETIO!MatchCondition+0x51
17 cfff3e0c 8d2c6a20 NETIO!FilterMatch+0x52
18 cfff3e3c 8d2c6845 NETIO!IndexListClassify+0x31
19 cfff3e7c 8d2c61ed NETIO!FindMatchingEntries+0xdc
1a cfff3f80 8d497bf4 NETIO!KfdClassify+0x195
1b cfff3fac 8d49ba0c tcpip!WfpAleClassify+0x38
1c cfff4124 8d49bb32 tcpip!WfpAlepReauthorizeInboundConnection+0x931
1d cfff41c0 8d49b08c tcpip!WfpAleReauthorizeInboundConnection+0xf9
1e cfff4374 8d4a4e7e tcpip!WfpAleReauthorizeConnection+0x3a5
1f cfff4414 8d4a34ed tcpip!TlShimOptionalReauthorizeConnection+0x188
20 cfff4564 8d49757d tcpip!ProcessALEForTransportPacket+0x46f
21 cfff4610 8d4972cb tcpip!ProcessAleForNonTcpIn+0x92
22 cfff4874 8d4a3005 tcpip!WfpProcessInTransportStackIndication+0x636
23 cfff48c8 8d48e3e2 tcpip!InetInspectReceiveDatagram+0xf1
24 cfff4988 8d4a48e8 tcpip!UdpBeginMessageIndication+0x54
25 cfff49d4 8d48fd6b tcpip!UdpDeliverDatagrams+0x1d9
26 cfff4a24 8d4a4544 tcpip!UdpReceiveDatagrams+0xb9
27 cfff4a34 8d48e814 tcpip!UdpNlClientReceiveDatagrams+0x12
28 cfff4a60 8d48e156 tcpip!IppDeliverListToProtocol+0x49
29 cfff4a80 8d48c518 tcpip!IppProcessDeliverList+0x2a
2a cfff4ad8 8d48dfff tcpip!IppReceiveHeaderBatch+0x1fb
2b cfff4b6c 8d4e2e4b tcpip!IpFlcReceivePackets+0xbe5
2c cfff4b8c 8d56f1ad tcpip!IppInspectInjectReceive+0xca
2d cfff4bc4 94298027 fwpkclnt!FwpsInjectTransportReceiveAsync0+0x1bc
2e cfff4c14 9429a1ab vsdatant+0xd027
2f cfff4c44 9429b43d vsdatant+0xf1ab
30 cfff4c94 8d2dcef6 vsdatant+0x1043d

vsdatant.sys.

We can see it's calling the ip-sec kernel mode API for TCPIP to inspect, inject, etc, packets.

Code: 
0: kd> lmvm vsdatant
start    end        module name
9428b000 94316000   vsdatant T (no symbols)           
    Loaded symbol image file: vsdatant.sys
    Image path: vsdatant.sys
    Image name: vsdatant.sys
    Timestamp:        Tue Jun 03 20:02:49 2014

We should look into this driver first as being the culprit.

FWIW, I've never had anything good to say about ZoneAlarm. The only time I ever used it was back when I was a teenager and used it for exploiting Halo 2.

I'd remove it for now and let me know how it goes.
 
I Uninstalled ZoneAlarm and NetLimiter. After starting Verifier I received a BSOD 0xC4 NLTDI.sys.
I re-booted and received a BSOD 0x8E.

What should I do next?

Thank you for your help.

Docfxit
 
Driver Verifier has been running for days now. How would you like me to show the results?

Thanks,

Docfxit
 
Sorry, have had no time to reply because of work. Will post back hopefully tonight if I can.
 
Okay, sorry.

Your problem is easily shown thanks to verifier.

Code: 
3: kd> .bugcheck
Bugcheck code 000000C4
Arguments 000000f6 000001b4 8c48c600 8fa2c513

Code: 
3: kd> knL
 # ChildEBP RetAddr  
00 8aa9ef64 83553f03 nt!KeBugCheckEx+0x1e
01 8aa9ef84 83558766 nt!VerifierBugCheckIfAppropriate+0x30
02 8aa9f018 8343f2db nt!VfCheckUserHandle+0x14f
03 8aa9f048 8343f195 nt!ObReferenceObjectByHandleWithTag+0x13b
04 8aa9f06c 834705f7 nt!ObReferenceObjectByHandle+0x21
05 8aa9f254 83259896 nt!NtQueryInformationToken+0xc2
06 8aa9f254 83258089 nt!KiSystemServicePostCall
07 8aa9f2e0 8fa2b9ee nt!ZwQueryInformationToken+0x11
08 8aa9f410 8fa2c513 nltdi+0x9ee
09 8aa9f480 8fa2b7a1 nltdi+0x1513
0a 8aa9f4b8 8354e6c3 nltdi+0x7a1
0b 8aa9f4dc 83252bc5 nt!IovCallDriver+0x258
0c 8aa9f4f0 834636b4 nt!IofCallDriver+0x1b
0d 8aa9f5c8 83442e3c nt!IopParseDevice+0xee6
0e 8aa9f644 83453263 nt!ObpLookupObjectName+0x4fa
0f 8aa9f6a4 83449d41 nt!ObOpenObjectByName+0x165
10 8aa9f720 8348b404 nt!IopCreateFile+0x673
11 8aa9f77c 8ff4b517 nt!IoCreateFileEx+0x9e
12 8aa9f9c0 8ff47faf afd!AfdTdiCreateAO+0x573
13 8aa9fa48 8ff542bc afd!AfdBind+0x37a
14 8aa9fa58 8354e6c3 afd!AfdDispatchDeviceControl+0x3b
15 8aa9fa7c 83252bc5 nt!IovCallDriver+0x258
16 8aa9fa90 83447d15 nt!IofCallDriver+0x1b
17 8aa9fab0 8344aefe nt!IopSynchronousServiceTail+0x1f8
18 8aa9fb4c 8349193b nt!IopXxxControlFile+0x6aa
19 8aa9fb80 905cfef2 nt!NtDeviceIoControlFile+0x2a
1a 8aa9fc04 83259896 bdselfpr+0x8ef2
1b 8aa9fc04 778c70f4 nt!KiSystemServicePostCall
1c 0017f630 00000000 0x778c70f4

Your Bitdefender self-protection kernel driver calls the NtDeviceIoControlFile function to build descriptors for the supplied buffer(s) and pass the untyped data. No doubt NetLimiter is causing a conflict (or it's just developed horribly) as it's passing a user-mode handle as kernel-mode, therefore verifier threw a bug check with the 0xf6 parameter.

Uninstall NetLimiter.
 
...

Now we wait, keep verifier enabled. If you don't crash within a few days, disable it and consider it solved.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top