Windows 10 BSOD paradise, multiple drivers and dumps

ravenize · Mar 14, 2019

At least in this circumstance: source

ravenize said:
[driver verifier enabled] I've also heard similar stories about whocrashed by other individuals, who claim it can be very wrong, however in my circumstance it is in fact the opposite. So I will recommend at the very least, multiple dump analyzers from now on, but certainly whocrashed. I would not have been able to boot into windows and WinDBG failed to detect a faulting driver obviously.... the latest whocrashed 6.6.0 detected lvbflt64.sys in the BSOD; its a logitech cam driver I rarely use and has been for the most part disabled in windows.

WinDBG

Code:

Loading Dump File [C:\Users\PalmDesert\_jcgriff2_\dbug\__Kernel__\031219-13031-01.dmp] Built by: 17763.1.amd64fre.rs5_release.180914-1434 Debug session time: Wed Mar 13 01:38:37.028 2019 (UTC - 4:00) System Uptime: 0 days 0:00:20.823 Probably caused by : memory_corruption DRIVER_VERIFIER_DETECTED_VIOLATION (c4) BUGCHECK_STR: 0xc4_2004 DEFAULT_BUCKET_ID: CODE_CORRUPTION PROCESS_NAME: System FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE Bugcheck code 000000C4 Arguments 00000000`00002004 ffff8b06`eaf51b28 fffff805`5ab50208 ffffc888`5354d320

VS

Whocrashed:

Code:

On Tue 3/12/2019 10:38:37 PM your computer crashed or a problem was reported crash dump file: C:\Windows\Minidump\031219-13031-01.dmp This was probably caused by the following module: lvbflt64.sys (0xFFFFF8055AB50208) Bugcheck code: 0xC4 (0x2004, 0xFFFF8B06EAF51B28, 0xFFFFF8055AB50208, 0xFFFFC8885354D320) Error: DRIVER_VERIFIER_DETECTED_VIOLATION file path: C:\Windows\system32\drivers\lvbflt64.sys product: Logitech Webcam Software company: Logitech Inc. description: Logitech USB Video Class Filter Driver Bug check description: This is the general bug check code for fatal errors found by Driver Verifier. This appears to be a typical software driver bug and is not likely to be caused by a hardware problem. A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: lvbflt64.sys (Logitech USB Video Class Filter Driver, Logitech Inc.). Google query: lvbflt64.sys Logitech Inc. DRIVER_VERIFIER_DETECTED_VIOLATION

After disabling this under /currrentcontrolset/services/* my PC booted up straight away. With it enabled it crashed. So WinDBG is inadequate here. Whocrashed won.

jcgriff2 · Mar 15, 2019

ravenize said:
At least in this circumstance: source

ravenize said:

[driver verifier enabled] I've also heard similar stories about whocrashed by other individuals, who claim it can be very wrong, however in my circumstance it is in fact the opposite. So I will recommend at the very least, multiple dump analyzers from now on, but certainly whocrashed. I would not have been able to boot into windows and WinDBG failed to detect a faulting driver obviously.... the latest whocrashed 6.6.0 detected lvbflt64.sys in the BSOD; its a logitech cam driver I rarely use and has been for the most part disabled in windows.

WinDBG

Code:

Loading Dump File [C:\Users\PalmDesert\_jcgriff2_\dbug\__Kernel__\031219-13031-01.dmp] Built by: 17763.1.amd64fre.rs5_release.180914-1434 Debug session time: Wed Mar 13 01:38:37.028 2019 (UTC - 4:00) System Uptime: 0 days 0:00:20.823 Probably caused by : memory_corruption DRIVER_VERIFIER_DETECTED_VIOLATION (c4) BUGCHECK_STR: 0xc4_2004 DEFAULT_BUCKET_ID: CODE_CORRUPTION PROCESS_NAME: System FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE Bugcheck code 000000C4 Arguments 00000000`00002004 ffff8b06`eaf51b28 fffff805`5ab50208 ffffc888`5354d320

VS

Whocrashed:

Code:

On Tue 3/12/2019 10:38:37 PM your computer crashed or a problem was reported crash dump file: C:\Windows\Minidump\031219-13031-01.dmp This was probably caused by the following module: lvbflt64.sys (0xFFFFF8055AB50208) Bugcheck code: 0xC4 (0x2004, 0xFFFF8B06EAF51B28, 0xFFFFF8055AB50208, 0xFFFFC8885354D320) Error: DRIVER_VERIFIER_DETECTED_VIOLATION file path: C:\Windows\system32\drivers\lvbflt64.sys product: Logitech Webcam Software company: Logitech Inc. description: Logitech USB Video Class Filter Driver Bug check description: This is the general bug check code for fatal errors found by Driver Verifier. This appears to be a typical software driver bug and is not likely to be caused by a hardware problem. A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: lvbflt64.sys (Logitech USB Video Class Filter Driver, Logitech Inc.). Google query: lvbflt64.sys Logitech Inc. DRIVER_VERIFIER_DETECTED_VIOLATION

After disabling this under /currrentcontrolset/services/* my PC booted up straight away. With it enabled it crashed. So WinDBG is inadequate here. Whocrashed won.

Click to expand...

Hi. . .

The single dump processed through Windbg and WHOCRASHED -

Code:

Windbg
Debug session time: Wed [hi]Mar 13 01:38:37.028 2019[/hi] (UTC - 4:00)

Bugcheck code 000000C4
Arguments 00000000`00002004 ffff8b06`eaf51b28 fffff805`5ab50208 ffffc888`5354d320

[color=#555555]Bugcheck shortened and written with parenthesis) -[/color]

0xc4 (0x2004, 0xffff8b06eaf51b28, 0xfffff8055ab50208, 0xffffc8885354d320)

Code:

WHOCRASHED

Tue [hi]3/12/2019 10:38:37 PM[/hi]

Bugcheck code: 0xC4 (0x2004, 0xFFFF8B06EAF51B28, 0xFFFFF8055AB50208, 0xFFFFC8885354D320)

My statement about the dumps being different based on timestamp was wrong. I had forgotten that Windbg adjusts for local time.

The bugchecks here tell us that they are the same dumps as the bugcheck and for parms (numbers inside the parenthesis) are memory addresses (likely P2, P3, P4 are anyway) and there is no way that 2 completely different BSODs could have the same bugcheck + the 4 parms (numbers inside the parenthesis). Furthermore - look at the times - they differ by 3 hours exactly - right down to the hundredths of a second.

I just don't understand where WHOCRASHED got the driver lvbflt64.sys from as it is not listed on the stack nor can I find it by issuing certain Windbg commands on the bugcheck parms (P2, P3, P4). Hopefully someone with superior knowledge about Windbg will come along and tell us so that we may better serve future OPs.

The answer must be either one of the parms (P2, P3, P4) or from a memory address on the stack. Or maybe somewhere else within the dump.

The parameters (parms) for a 0xc4 bugcheck are as follows:

The bugcheck + parms = 0xc4 (0x2004, 0xffff8b06eaf51b28, 0xfffff8055ab50208, 0xffffc8885354d320)

P1 = 0x2004
P2 = 0xffff8b06eaf51b28
P3 = 0xfffff8055ab50208
P4 = 0xffffc8885354d320

Explanations of the Parms from debugger.chm (included with Windbg) -
If P1 (the first number inside the parenthesis) is = to 0x2004 then - (which is the case here) -
P2 = Pointer to the string that describes the violated rule condition.
P3 = Optional pointer to the rule state variable(s).
P4 = Reserved (means that Microsoft is not going to tell us what it is!)

Cause of the error: The driver violated the DDI compliance rule IrqlExAllocatePool. The IrqlExAllocatePool rule specifies that the driver calls ExAllocatePoolWithTag and ExAllocatePoolWithTagPriority only when at IRQL<=DISPATCH_LEVEL.

The entire Windbg dump output log is below.

Regards. . .

jcgriff2

WINDBG DUMP OUTPUT LOG

Code:

Microsoft (R) Windows Debugger Version 10.0.10075.9 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\PalmDesert\_jcgriff2_\dbug\__Kernel__\1\031219-13031-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available


************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 17763 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 17763.1.amd64fre.rs5_release.180914-1434
Machine Name:
Kernel base = 0xfffff805`54c08000 PsLoadedModuleList = 0xfffff805`550239b0
Debug session time: Wed Mar 13 01:38:37.028 2019 (UTC - 4:00)
System Uptime: 0 days 0:00:20.823
Loading Kernel Symbols
...............................................................
................................................................
....................
Loading User Symbols
Loading unloaded module list
......
No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C4, {2004, ffff8b06eaf51b28, fffff8055ab50208, ffffc8885354d320}


ffff8b06ea5fcb10: Unable to read TableSize for resource

ffff8b06ea5fcb10: Unable to read TableSize for resource

ffff8b06ea5fcb10: Unable to read TableSize for resource

ffff8b06ea5fcb10: Unable to read TableSize for resource
Probably caused by : memory_corruption

Followup: memory_corruption
---------

Processing initial command '!analyze -v;r;kv;lmtn;lmtsmn;.bugcheck'
1: kd> !analyze -v;r;kv;lmtn;lmtsmn;.bugcheck
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 0000000000002004, subclass of driver violation.
Arg2: ffff8b06eaf51b28
Arg3: fffff8055ab50208
Arg4: ffffc8885354d320

Debugging Details:
------------------


ffff8b06ea5fcb10: Unable to read TableSize for resource

ffff8b06ea5fcb10: Unable to read TableSize for resource

ffff8b06ea5fcb10: Unable to read TableSize for resource

ffff8b06ea5fcb10: Unable to read TableSize for resource

BUGCHECK_P1: 2004

BUGCHECK_P2: ffff8b06eaf51b28

BUGCHECK_P3: fffff8055ab50208

BUGCHECK_P4: ffffc8885354d320

BUGCHECK_STR: 0xc4_2004

CPU_COUNT: 4

CPU_MHZ: fe2

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 17

CPU_STEPPING: a

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: CODE_CORRUPTION

PROCESS_NAME: System

CURRENT_IRQL: 0

ANALYSIS_VERSION: 10.0.10075.9 amd64fre

LOCK_ADDRESS: fffff8055503dc20 -- (!locks fffff8055503dc20)

ffff8b06ea5fcb10: Unable to read TableSize for resource
0 total locks

PNP_TRIAGE:
Lock address : 0xfffff8055503dc20
Thread Count : 1
Thread address: 0xffff8b06e8139080
Thread wait : 0x534

LAST_CONTROL_TRANSFER: from fffff80555537e63 to fffff80554dbb5e0

STACK_TEXT:
ffffc888`5354d258 fffff805`55537e63 : 00000000`000000c4 00000000`00002004 ffff8b06`eaf51b28 fffff805`5ab50208 : nt!KeBugCheckEx
ffffc888`5354d260 fffff805`54f1183b : fffff805`5500e2e4 00000000`00002004 ffff8b06`eaf51b28 fffff805`5ab50208 : nt!VerifierBugCheckIfAppropriate+0xdf
ffffc888`5354d2a0 fffff805`5552f42f : 00000000`00000000 ffffc888`5354d340 fffff805`5ab50208 fffff805`5553026e : nt!VfReportIssueWithOptions+0x103
ffffc888`5354d2f0 fffff805`5553fae9 : ffff8b06`eaf51ad0 ffff8b06`eaf51ad0 00000000`00000001 ffff8b06`e80445b0 : nt!VfCheckImageCompliance+0x28b
ffffc888`5354d370 fffff805`5552b421 : ffff8b06`eaf51ad0 00000000`00000000 ffff8b06`ed14cb00 fffff805`54c9b121 : nt!VfSuspectDriversLoadCallback+0x345
ffffc888`5354d3c0 fffff805`552730ef : fffff805`5ab50130 ffffc888`5354d510 ffff8b06`ed14cb10 00000000`00000000 : nt!VfDriverLoadImage+0x24fd
ffffc888`5354d410 fffff805`5526d23b : ffffc888`5354d618 00000000`00000000 00000000`00000000 00000000`00000001 : nt!MmLoadSystemImageEx+0x7ff
ffffc888`5354d5c0 fffff805`552f6e7b : 00000000`00000000 00000000`00000000 00000000`00000004 ffffc98f`00000004 : nt!IopLoadDriver+0x21b
ffffc888`5354d7a0 fffff805`552d9746 : ffffffff`80000301 ffffc98f`61121890 ffff8b06`f26c1600 00000000`0000000d : nt!PipCallDriverAddDeviceQueryRoutine+0x1b7
ffffc888`5354d840 fffff805`552d9209 : 00000000`00000000 ffffc888`5354d950 ffff8b06`f27cbb70 fffff805`00000002 : nt!PnpCallDriverQueryServiceHelper+0x1d2
ffffc888`5354d8f0 fffff805`552d872b : ffff8b06`f27cbb70 ffffc888`5354db18 ffff8b06`f27cbb70 00000000`00000000 : nt!PipCallDriverAddDevice+0x59d
ffffc888`5354daa0 fffff805`552eac26 : ffff8b06`eaf2b300 ffffc888`5354dc01 ffffc888`5354dbb0 fffff805`00000002 : nt!PipProcessDevNodeTree+0x1af
ffffc888`5354db60 fffff805`54d6229d : ffff8b01`00000003 ffff8b06`e8ade9a0 ffff8b06`eaf2b310 00000000`00000000 : nt!PiProcessReenumeration+0x82
ffffc888`5354dbb0 fffff805`54cbc1ea : ffff8b06`e8139080 fffff805`5503c540 ffff8b06`e8102c50 ffff8b06`00000000 : nt!PnpDeviceActionWorker+0x1dd
ffffc888`5354dc70 fffff805`54c8ebc5 : ffff8b06`e8139080 ffff8b06`e809a080 ffff8b06`e8139080 00000000`00000000 : nt!ExpWorkerThread+0x16a
ffffc888`5354dd10 fffff805`54dc2a3c : ffffdf00`2b560180 ffff8b06`e8139080 fffff805`54c8eb70 00000000`00000000 : nt!PspSystemThreadStartup+0x55
ffffc888`5354dd60 00000000`00000000 : ffffc888`5354e000 ffffc888`53548000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x1c


STACK_COMMAND: kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
fffff80554c0e799-fffff80554c0e79d 5 bytes - nt!MiInitializeWorkingSetList+49
[ df be 7d fb f6:d8 b0 61 c3 86 ]
fffff80554c0e7b8 - nt!MiInitializeWorkingSetList+68 (+0x1f)
[ f6:86 ]
fffff80554c0e810-fffff80554c0e811 2 bytes - nt!MiInitializeWorkingSetList+c0 (+0x58)
[ 80 fa:00 f0 ]
fffff80554c67dfc - nt!MiCountSharedPages+ac (+0x595ec)
[ f6:86 ]
fffff80554d00959-fffff80554d0095a 2 bytes - nt!MmUnlockPages+e9 (+0x98b5d)
[ 80 fa:00 f0 ]
fffff80554d0fae4-fffff80554d0fae7 4 bytes - nt!MmAccessFault+354 (+0xf18b)
[ be 7d fb f6:b0 61 c3 86 ]
fffff80554d0fb11-fffff80554d0fb14 4 bytes - nt!MmAccessFault+381 (+0x2d)
[ be 7d fb f6:b0 61 c3 86 ]
19 errors : !nt (fffff80554c0e799-fffff80554d0fb14)

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MEMORY_CORRUPTOR: LARGE

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE

BUCKET_ID: MEMORY_CORRUPTION_LARGE

PRIMARY_PROBLEM_CLASS: MEMORY_CORRUPTION_LARGE

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:memory_corruption_large

FAILURE_ID_HASH: {e29154ac-69a4-0eb8-172a-a860f73c0a3c}

Followup: memory_corruption
---------

rax=ffffc8885354d320 rbx=000000000000000d rcx=00000000000000c4
rdx=0000000000002004 rsi=0000000000002004 rdi=00000000000000c4
rip=fffff80554dbb5e0 rsp=ffffc8885354d258 rbp=fffff8055ab50208
r8=ffff8b06eaf51b28 r9=fffff8055ab50208 r10=0000000000000004
r11=0000000000000000 r12=0000000000000000 r13=0000000000000001
r14=ffff8b06eaf51b28 r15=fffff8055ab501e8
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000246
nt!KeBugCheckEx:
fffff805`54dbb5e0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffc888`5354d260=00000000000000c4
# Child-SP RetAddr : Args to Child : Call Site
00 ffffc888`5354d258 fffff805`55537e63 : 00000000`000000c4 00000000`00002004 ffff8b06`eaf51b28 fffff805`5ab50208 : nt!KeBugCheckEx
01 ffffc888`5354d260 fffff805`54f1183b : fffff805`5500e2e4 00000000`00002004 ffff8b06`eaf51b28 fffff805`5ab50208 : nt!VerifierBugCheckIfAppropriate+0xdf
02 ffffc888`5354d2a0 fffff805`5552f42f : 00000000`00000000 ffffc888`5354d340 fffff805`5ab50208 fffff805`5553026e : nt!VfReportIssueWithOptions+0x103
03 ffffc888`5354d2f0 fffff805`5553fae9 : ffff8b06`eaf51ad0 ffff8b06`eaf51ad0 00000000`00000001 ffff8b06`e80445b0 : nt!VfCheckImageCompliance+0x28b
04 ffffc888`5354d370 fffff805`5552b421 : ffff8b06`eaf51ad0 00000000`00000000 ffff8b06`ed14cb00 fffff805`54c9b121 : nt!VfSuspectDriversLoadCallback+0x345
05 ffffc888`5354d3c0 fffff805`552730ef : fffff805`5ab50130 ffffc888`5354d510 ffff8b06`ed14cb10 00000000`00000000 : nt!VfDriverLoadImage+0x24fd
06 ffffc888`5354d410 fffff805`5526d23b : ffffc888`5354d618 00000000`00000000 00000000`00000000 00000000`00000001 : nt!MmLoadSystemImageEx+0x7ff
07 ffffc888`5354d5c0 fffff805`552f6e7b : 00000000`00000000 00000000`00000000 00000000`00000004 ffffc98f`00000004 : nt!IopLoadDriver+0x21b
08 ffffc888`5354d7a0 fffff805`552d9746 : ffffffff`80000301 ffffc98f`61121890 ffff8b06`f26c1600 00000000`0000000d : nt!PipCallDriverAddDeviceQueryRoutine+0x1b7
09 ffffc888`5354d840 fffff805`552d9209 : 00000000`00000000 ffffc888`5354d950 ffff8b06`f27cbb70 fffff805`00000002 : nt!PnpCallDriverQueryServiceHelper+0x1d2
0a ffffc888`5354d8f0 fffff805`552d872b : ffff8b06`f27cbb70 ffffc888`5354db18 ffff8b06`f27cbb70 00000000`00000000 : nt!PipCallDriverAddDevice+0x59d
0b ffffc888`5354daa0 fffff805`552eac26 : ffff8b06`eaf2b300 ffffc888`5354dc01 ffffc888`5354dbb0 fffff805`00000002 : nt!PipProcessDevNodeTree+0x1af
0c ffffc888`5354db60 fffff805`54d6229d : ffff8b01`00000003 ffff8b06`e8ade9a0 ffff8b06`eaf2b310 00000000`00000000 : nt!PiProcessReenumeration+0x82
0d ffffc888`5354dbb0 fffff805`54cbc1ea : ffff8b06`e8139080 fffff805`5503c540 ffff8b06`e8102c50 ffff8b06`00000000 : nt!PnpDeviceActionWorker+0x1dd
0e ffffc888`5354dc70 fffff805`54c8ebc5 : ffff8b06`e8139080 ffff8b06`e809a080 ffff8b06`e8139080 00000000`00000000 : nt!ExpWorkerThread+0x16a
0f ffffc888`5354dd10 fffff805`54dc2a3c : ffffdf00`2b560180 ffff8b06`e8139080 fffff805`54c8eb70 00000000`00000000 : nt!PspSystemThreadStartup+0x55
10 ffffc888`5354dd60 00000000`00000000 : ffffc888`5354e000 ffffc888`53548000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x1c
start end module name
fffff805`54c08000 fffff805`55677000 nt ntkrnlmp.exe ***** Invalid (DEACB3CA)
fffff805`55678000 fffff805`5570f000 hal hal.dll ***** Invalid (FBE06E6E)
fffff805`55800000 fffff805`5580b000 kd kd.dll Fri Feb 09 10:20:45 2035 (7A776DCD)
fffff805`57200000 fffff805`57225000 mup mup.sys ***** Invalid (D5074BA1)
fffff805`57230000 fffff805`57241000 iorate iorate.sys ***** Invalid (A096CD2D)
fffff805`57260000 fffff805`5727c000 disk disk.sys ***** Invalid (EB969297)
fffff805`57280000 fffff805`572ef000 CLASSPNP CLASSPNP.SYS Thu May 11 08:48:53 1995 (2FB207B5)
fffff805`57310000 fffff805`5732c000 crashdmp crashdmp.sys ***** Invalid (FEF3C415)
fffff805`57340000 fffff805`5734f000 dump_diskdump dump_diskdump.sys ***** Invalid (A0767573)
fffff805`57380000 fffff805`573ad000 dump_storahci dump_storahci.sys ***** Invalid (E94316B7)
fffff805`573d0000 fffff805`573ed000 dump_dumpfve dump_dumpfve.sys Fri Dec 11 15:20:41 2015 (566B3019)
fffff805`573f0000 fffff805`5741e000 cdrom cdrom.sys Sat May 06 17:45:03 2017 (590E43DF)
fffff805`57420000 fffff805`57435000 filecrypt filecrypt.sys Sun Aug 13 10:30:12 2034 (798A13F4)
fffff805`57440000 fffff805`5744e000 tbs tbs.sys Wed Dec 03 00:21:40 2036 (7DE0F3E4)
fffff805`57450000 fffff805`57500000 eamonm eamonm.sys Thu Sep 20 03:30:09 2018 (5BA34C81)
fffff805`57510000 fffff805`5751a000 Null Null.SYS Tue Jan 24 04:50:47 1989 (23DC46F7)
fffff805`57520000 fffff805`5752a000 Beep Beep.SYS ***** Invalid (E2569389)
fffff805`57530000 fffff805`5755d000 ehdrv ehdrv.sys Wed Aug 08 15:54:47 2018 (5B6B4A87)
fffff805`57560000 fffff805`5756c000 em000k_64 em000k_64.dll Wed Jun 21 03:44:58 2017 (594A23FA)
fffff805`57570000 fffff805`575b3000 em006_64 em006_64.dll Mon Jan 07 10:31:01 2019 (5C3370B5)
fffff805`575c0000 fffff805`575fe000 em018k_64 em018k_64.dll Tue Feb 26 05:59:55 2019 (5C751C2B)
fffff805`57600000 fffff805`5793e000 dxgkrnl dxgkrnl.sys Tue Sep 01 18:50:46 2020 (5F4ED046)
fffff805`57940000 fffff805`57956000 watchdog watchdog.sys ***** Invalid (8D7A0DF0)
fffff805`57960000 fffff805`57976000 BasicDisplay BasicDisplay.sys ***** Invalid (D39D4B86)
fffff805`57980000 fffff805`57991000 BasicRender BasicRender.sys Sat Jul 21 21:02:48 2012 (500B5138)
fffff805`579a0000 fffff805`579bc000 Npfs Npfs.SYS Sat Jul 09 15:56:34 1994 (2E1F00F2)
fffff805`579c0000 fffff805`579d1000 Msfs Msfs.SYS Fri Oct 24 02:27:06 2008 (49016ABA)
fffff805`579e0000 fffff805`579f3000 epfw epfw.sys Wed Dec 19 11:55:33 2018 (5C1A7805)
fffff805`57a00000 fffff805`57a68000 em008k_64 em008k_64.dll Mon Dec 17 09:30:28 2018 (5C17B304)
fffff805`57a70000 fffff805`57b0e000 em042_64 em042_64.dll Tue Nov 27 09:32:36 2018 (5BFD5584)
fffff805`57b10000 fffff805`57b37000 tdx tdx.sys ***** Invalid (AFDABF6D)
fffff805`57b40000 fffff805`57b50000 TDI TDI.SYS ***** Invalid (E9708B47)
fffff805`57b60000 fffff805`57b7a000 networx networx.sys Wed Aug 29 14:20:28 2018 (5B86E3EC)
fffff805`57b90000 fffff805`57b9b000 Capsax64Drv Capsax64Drv.sys Wed Apr 22 06:38:03 2009 (49EEF38B)
fffff805`57ba0000 fffff805`57bb3000 afunix afunix.sys ***** Invalid (CE69FF46)
fffff805`57bc0000 fffff805`57c66000 afd afd.sys ***** Invalid (E7A7D654)
fffff805`57c70000 fffff805`57cb4000 VBoxNetLwf VBoxNetLwf.sys Fri Jan 25 13:59:03 2019 (5C4B5C77)
fffff805`57cc0000 fffff805`57cdd000 epfwwfp epfwwfp.sys Wed Dec 19 11:55:33 2018 (5C1A7805)
fffff805`57cf0000 fffff805`57d5d000 volsnap volsnap.sys ***** Invalid (AC1C69A4)
fffff805`57d60000 fffff805`57d82000 SysmonDrv SysmonDrv.sys Mon Feb 18 16:48:24 2019 (5C6B2828)
fffff805`57d90000 fffff805`57ddf000 rdyboost rdyboost.sys Sun Aug 26 18:38:42 2018 (5B832BF2)
fffff805`57de0000 fffff805`57df5000 npcap npcap.sys Fri Jan 11 10:44:05 2019 (5C38B9C5)
fffff805`57e00000 fffff805`57e94000 csc csc.sys Thu May 23 03:54:40 2030 (71977CC0)
fffff805`57ea0000 fffff805`57f22000 zamguard64 zamguard64.sys Wed Aug 17 13:06:53 2016 (57B499AD)
fffff805`57f30000 fffff805`57fb2000 zam64 zam64.sys Wed Aug 17 13:06:53 2016 (57B499AD)
fffff805`57fc0000 fffff805`57ff3000 VBoxUSBMon VBoxUSBMon.sys Fri Jan 25 13:59:03 2019 (5C4B5C77)
fffff805`58000000 fffff805`580fd000 VBoxDrv VBoxDrv.sys Fri Jan 25 13:59:37 2019 (5C4B5C99)
fffff805`58100000 fffff805`58112000 nsiproxy nsiproxy.sys Mon Sep 04 03:50:23 1972 (050877BF)
fffff805`58120000 fffff805`5812d000 npsvctrig npsvctrig.sys Mon Feb 23 01:11:04 2037 (7E4D1A78)
fffff805`58130000 fffff805`58140000 mssmbios mssmbios.sys ***** Invalid (A51D1A67)
fffff805`58150000 fffff805`5815a000 HWiNFO64A HWiNFO64A.SYS Tue Mar 31 05:51:32 2015 (551A6E24)
fffff805`58160000 fffff805`5816a000 gpuenergydrv gpuenergydrv.sys ***** Invalid (DA1C403F)
fffff805`58170000 fffff805`58196000 mbae64 mbae64.sys Tue Nov 20 07:32:14 2018 (5BF3FECE)
fffff805`581a0000 fffff805`581cc000 dfsc dfsc.sys ***** Invalid (E60CDDBC)
fffff805`581d0000 fffff805`581e1000 CompositeBus CompositeBus.sys ***** Invalid (DD86440A)
fffff805`581f0000 fffff805`58204000 bam bam.sys Fri Nov 13 20:53:16 1981 (1653310C)
fffff805`58210000 fffff805`5825e000 ahcache ahcache.sys Mon Jan 09 15:47:24 1995 (2F11A0DC)
fffff805`58260000 fffff805`5826c000 loop loop.sys Fri Aug 27 04:16:02 2027 (6C7125C2)
fffff805`58270000 fffff805`582f4000 Vid Vid.sys ***** Invalid (F42473AC)
fffff805`58300000 fffff805`5831e000 winhvr winhvr.sys ***** Invalid (BDDA6167)
fffff805`58330000 fffff805`5835b000 pacer pacer.sys ***** Invalid (BD6E6BA5)
fffff805`58360000 fffff805`58374000 netbios netbios.sys ***** Invalid (BA5B5FB4)
fffff805`58380000 fffff805`583fa000 rdbss rdbss.sys Thu Dec 29 02:55:33 1983 (1A514075)
fffff805`58f70000 fffff805`58f85000 umbus umbus.sys ***** Invalid (83197D71)
fffff805`58f90000 fffff805`58fce000 intelppm intelppm.sys Wed Feb 08 18:16:35 2012 (4F330253)
fffff805`5a600000 fffff805`5a61c000 usbehci usbehci.sys ***** Invalid (B398C408)
fffff805`5a620000 fffff805`5a735000 rt640x64 rt640x64.sys Fri Jun 15 00:10:42 2018 (5B233C42)
fffff805`5a740000 fffff805`5a7b8000 USBXHCI USBXHCI.SYS ***** Invalid (DD7F1F39)
fffff805`5a7c0000 fffff805`5a7ff000 ucx01000 ucx01000.sys Sat Jan 03 10:23:30 2037 (7E0A5F72)
fffff805`5a800000 fffff805`5a808000 ASACPI ASACPI.sys Thu Nov 01 21:54:34 2012 (509327DA)
fffff805`5a810000 fffff805`5a81d000 NdisVirtualBus NdisVirtualBus.sys Thu Mar 27 17:31:46 1997 (333AE742)
fffff805`5a820000 fffff805`5a82c000 swenum swenum.sys ***** Invalid (8B90F92A)
fffff805`5a830000 fffff805`5a85f000 BazisVirtualCDBus BazisVirtualCDBus.sys Sat Sep 26 22:51:28 2015 (560759B0)
fffff805`5a860000 fffff805`5a8e8000 usbhub usbhub.sys Mon Jun 09 02:01:34 1997 (339B9C3E)
fffff805`5a8f0000 fffff805`5a8fe000 USBD USBD.SYS ***** Invalid (C7E3B3E8)
fffff805`5a900000 fffff805`5a968000 HdAudio HdAudio.sys Wed Aug 26 11:46:58 2015 (55DDDF72)
fffff805`5a970000 fffff805`5a97f000 ksthunk ksthunk.sys ***** Invalid (D43D6B7C)
fffff805`5a980000 fffff805`5aa13000 UsbHub3 UsbHub3.sys Sat Jan 23 04:05:51 2010 (4B5ABBEF)
fffff805`5aa20000 fffff805`5aa45000 USBSTOR USBSTOR.SYS ***** Invalid (EC3DCED0)
fffff805`5aa50000 fffff805`5aa62000 hidusb hidusb.sys Sun Jul 18 13:59:02 1971 (02E73966)
fffff805`5aa70000 fffff805`5aaab000 HIDCLASS HIDCLASS.SYS Sun Sep 30 14:58:36 1979 (1255155C)
fffff805`5aab0000 fffff805`5aac3000 HIDPARSE HIDPARSE.SYS Sun Dec 27 00:38:28 2015 (567F7954)
fffff805`5aad0000 fffff805`5aada000 wdcsam64 wdcsam64.sys Fri Oct 09 16:31:13 2015 (56182411)
fffff805`5aae0000 fffff805`5aaef000 mouhid mouhid.sys Thu Jan 18 04:52:01 2007 (45AF4341)
fffff805`5aaf0000 fffff805`5ab03000 mouclass mouclass.sys ***** Invalid (80F98B92)
fffff805`5ab10000 fffff805`5ab41000 usbccgp usbccgp.sys ***** Invalid (82D4CB5C)
fffff805`5ab50000 fffff805`5ab54b80 lvbflt64 lvbflt64.sys Mon Oct 22 22:10:38 2012 (5085FC9E)
fffff805`5afe0000 fffff805`5c409000 nvlddmkm nvlddmkm.sys Fri Mar 01 02:36:41 2019 (5C78E109)
fffff805`5c410000 fffff805`5c42f000 HDAudBus HDAudBus.sys Fri Aug 17 18:16:38 1979 (121B41C6)
fffff805`5c430000 fffff805`5c495000 portcls portcls.sys ***** Invalid (8DFE43A2)
fffff805`5c4a0000 fffff805`5c4c1000 drmk drmk.sys Sun Jun 11 00:38:03 2000 (394317AB)
fffff805`5c4d0000 fffff805`5c546000 ks ks.sys Mon May 03 21:15:30 2027 (6BD926B2)
fffff805`5c550000 fffff805`5c560000 usbuhci usbuhci.sys Sun Oct 02 19:41:39 2011 (4E88F6B3)
fffff805`5c570000 fffff805`5c5eb000 USBPORT USBPORT.SYS Sat May 29 20:01:47 1999 (37507FEB)
fffff80e`81a00000 fffff80e`81a18000 PSHED PSHED.dll Tue Nov 07 10:06:38 2034 (79FB7D7E)
fffff80e`81a20000 fffff80e`81a2b000 BOOTVID BOOTVID.dll Fri Nov 24 18:09:33 1995 (30B650AD)
fffff80e`81a30000 fffff80e`81aa0000 FLTMGR FLTMGR.SYS Thu Jul 24 00:42:54 1975 (0A74874E)
fffff80e`81ab0000 fffff80e`81bb9000 clipsp clipsp.sys Thu Nov 29 20:37:56 2018 (5C009474)
fffff80e`81bc0000 fffff80e`81bce000 cmimcext cmimcext.sys Thu Aug 19 18:55:44 2010 (4C6DB670)
fffff80e`81bd0000 fffff80e`81bdc000 ntosext ntosext.sys Fri Mar 03 22:05:50 2028 (6D6B5A0E)
fffff80e`81be0000 fffff80e`81cb3000 CI CI.dll Mon Aug 26 16:15:04 2030 (721568C8)
fffff80e`81cc0000 fffff80e`81d77000 cng cng.sys ***** Invalid (A7D172D6)
fffff80e`81d80000 fffff80e`81e05000 VerifierExt VerifierExt.sys ***** Invalid (FFC45489)
fffff80e`81e10000 fffff80e`81ee1000 Wdf01000 Wdf01000.sys ***** Invalid (AF1CEDD2)
fffff80e`81f00000 fffff80e`8208e000 mcupdate_GenuineIntel mcupdate_GenuineIntel.dll Wed Dec 26 23:46:12 2001 (3C2AA794)
fffff80e`82090000 fffff80e`820f2000 msrpc msrpc.sys ***** Invalid (824F01ED)
fffff80e`82100000 fffff80e`8212b000 ksecdd ksecdd.sys ***** Invalid (C0930B22)
fffff80e`82130000 fffff80e`82141000 werkernel werkernel.sys Sat Aug 14 07:55:58 1971 (030A7CCE)
fffff80e`82150000 fffff80e`821ba000 CLFS CLFS.SYS ***** Invalid (F777DB3A)
fffff80e`821c0000 fffff80e`821e7000 tm tm.sys ***** Invalid (F1AC5A2F)
fffff80e`82200000 fffff80e`82210000 WppRecorder WppRecorder.sys ***** Invalid (E5178B49)
fffff80e`82220000 fffff80e`8222f000 SleepStudyHelper SleepStudyHelper.sys ***** Invalid (D42ABCCC)
fffff80e`82230000 fffff80e`82254000 acpiex acpiex.sys Mon Jun 16 22:07:59 1975 (0A439B7F)
fffff80e`82260000 fffff80e`822b1000 mssecflt mssecflt.sys Fri Jun 07 08:17:10 2013 (51B1CF46)
fffff80e`822c0000 fffff80e`822da000 SgrmAgent SgrmAgent.sys ***** Invalid (F7CA286D)
fffff80e`822e0000 fffff80e`823a8000 ACPI ACPI.sys ***** Invalid (A49A6357)
fffff80e`823b0000 fffff80e`823bc000 WMILIB WMILIB.SYS Tue Apr 19 22:19:11 2033 (7710989F)
fffff80e`823c0000 fffff80e`823da000 vwififlt vwififlt.sys ***** Invalid (B1239F86)
fffff80e`823e0000 fffff80e`82423000 intelpep intelpep.sys ***** Invalid (83F72A94)
fffff80e`82430000 fffff80e`82446000 WindowsTrustedRT WindowsTrustedRT.sys ***** Invalid (BD0B79F0)
fffff80e`82450000 fffff80e`8245b000 WindowsTrustedRTProxy WindowsTrustedRTProxy.sys Tue May 14 12:37:30 2013 (5192684A)
fffff80e`82460000 fffff80e`82474000 pcw pcw.sys ***** Invalid (C6C870F7)
fffff80e`82480000 fffff80e`8248b000 msisadrv msisadrv.sys Sun Nov 07 01:38:33 2004 (418DC2E9)
fffff80e`82490000 fffff80e`824fb000 pci pci.sys Sat Mar 30 03:50:00 1991 (27F44328)
fffff80e`82500000 fffff80e`82512000 vdrvroot vdrvroot.sys ***** Invalid (8ED5F3A9)
fffff80e`82520000 fffff80e`8254e000 pdc pdc.sys Tue Apr 02 18:59:08 2024 (660C8DBC)
fffff80e`82550000 fffff80e`82569000 CEA CEA.sys ***** Invalid (9B4697B8)
fffff80e`82570000 fffff80e`8259f000 partmgr partmgr.sys Mon Jun 19 19:20:15 1995 (2FE6062F)
fffff80e`825a0000 fffff80e`82643000 spaceport spaceport.sys ***** Invalid (D550BE88)
fffff80e`82650000 fffff80e`82669000 volmgr volmgr.sys ***** Invalid (91784A41)
fffff80e`82670000 fffff80e`826d3000 volmgrx volmgrx.sys Tue Dec 25 16:43:09 2012 (50DA1DED)
fffff80e`826e0000 fffff80e`826ff000 mountmgr mountmgr.sys ***** Invalid (A8481DD2)
fffff80e`82700000 fffff80e`8272d000 storahci storahci.sys ***** Invalid (E94316B7)
fffff80e`82730000 fffff80e`827cb000 storport storport.sys Sun Dec 23 08:22:26 2007 (476E6112)
fffff80e`827f0000 fffff80e`8280a000 fileinfo fileinfo.sys ***** Invalid (85B4F747)
fffff80e`82810000 fffff80e`8284e000 Wof Wof.sys Mon Nov 14 18:36:29 1988 (237F6DFD)
fffff80e`82850000 fffff80e`82add000 Ntfs Ntfs.sys Mon Jul 12 05:58:44 1971 (02DEDFD4)
fffff80e`82ae0000 fffff80e`82aed000 Fs_Rec Fs_Rec.sys ***** Invalid (CFF89B5E)
fffff80e`82af0000 fffff80e`82c43000 ndis ndis.sys Sat Jul 28 03:04:47 2029 (700D408F)
fffff80e`82c50000 fffff80e`82ce5000 NETIO NETIO.SYS ***** Invalid (C0E588AF)
fffff80e`82cf0000 fffff80e`82d22000 ksecpkg ksecpkg.sys ***** Invalid (CD0C90B8)
fffff80e`82d30000 fffff80e`8300b000 tcpip tcpip.sys Tue Feb 07 05:38:50 2023 (63E22A3A)
fffff80e`83010000 fffff80e`83088000 fwpkclnt fwpkclnt.sys ***** Invalid (DF926DC9)
fffff80e`83090000 fffff80e`830c0000 wfplwfs wfplwfs.sys ***** Invalid (8AE4C0AC)
fffff80e`830d0000 fffff80e`83198000 fvevol fvevol.sys Wed Sep 15 11:15:15 1993 (2C973183)
fffff80e`831a0000 fffff80e`831ab000 volume volume.sys ***** Invalid (CB3F72CF)
fffff80e`831b0000 fffff80e`831c5000 npf npf.sys Fri Jan 11 10:44:33 2019 (5C38B9E1)
fffff80e`831e0000 fffff80e`831f3000 WDFLDR WDFLDR.SYS Thu Jan 31 16:00:20 2008 (47A236E4)

Unloaded modules:
fffff80e`827d0000 fffff80e`827ed000 EhStorClass.
Timestamp: unavailable (00000000)
Checksum: 00000000
ImageSize: 0001D000
fffff805`581d0000 fffff805`581ec000 dam.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ImageSize: 0001C000
fffff805`57b80000 fffff805`57b8b000 CsNdisLWF.sy
Timestamp: unavailable (00000000)
Checksum: 00000000
ImageSize: 0000B000
fffff80e`823d0000 fffff80e`823d9000 MbamElam.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ImageSize: 00009000
fffff80e`823c0000 fffff80e`823c9000 eelam.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ImageSize: 00009000
fffff805`57250000 fffff805`57260000 hwpolicy.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ImageSize: 00010000
start end module name
fffff80e`822e0000 fffff80e`823a8000 ACPI ACPI.sys ***** Invalid (A49A6357)
fffff80e`82230000 fffff80e`82254000 acpiex acpiex.sys Mon Jun 16 22:07:59 1975 (0A439B7F)
fffff805`57bc0000 fffff805`57c66000 afd afd.sys ***** Invalid (E7A7D654)
fffff805`57ba0000 fffff805`57bb3000 afunix afunix.sys ***** Invalid (CE69FF46)
fffff805`58210000 fffff805`5825e000 ahcache ahcache.sys Mon Jan 09 15:47:24 1995 (2F11A0DC)
fffff805`5a800000 fffff805`5a808000 ASACPI ASACPI.sys Thu Nov 01 21:54:34 2012 (509327DA)
fffff805`581f0000 fffff805`58204000 bam bam.sys Fri Nov 13 20:53:16 1981 (1653310C)
fffff805`57960000 fffff805`57976000 BasicDisplay BasicDisplay.sys ***** Invalid (D39D4B86)
fffff805`57980000 fffff805`57991000 BasicRender BasicRender.sys Sat Jul 21 21:02:48 2012 (500B5138)
fffff805`5a830000 fffff805`5a85f000 BazisVirtualCDBus BazisVirtualCDBus.sys Sat Sep 26 22:51:28 2015 (560759B0)
fffff805`57520000 fffff805`5752a000 Beep Beep.SYS ***** Invalid (E2569389)
fffff80e`81a20000 fffff80e`81a2b000 BOOTVID BOOTVID.dll Fri Nov 24 18:09:33 1995 (30B650AD)
fffff805`57b90000 fffff805`57b9b000 Capsax64Drv Capsax64Drv.sys Wed Apr 22 06:38:03 2009 (49EEF38B)
fffff805`573f0000 fffff805`5741e000 cdrom cdrom.sys Sat May 06 17:45:03 2017 (590E43DF)
fffff80e`82550000 fffff80e`82569000 CEA CEA.sys ***** Invalid (9B4697B8)
fffff80e`81be0000 fffff80e`81cb3000 CI CI.dll Mon Aug 26 16:15:04 2030 (721568C8)
fffff805`57280000 fffff805`572ef000 CLASSPNP CLASSPNP.SYS Thu May 11 08:48:53 1995 (2FB207B5)
fffff80e`82150000 fffff80e`821ba000 CLFS CLFS.SYS ***** Invalid (F777DB3A)
fffff80e`81ab0000 fffff80e`81bb9000 clipsp clipsp.sys Thu Nov 29 20:37:56 2018 (5C009474)
fffff80e`81bc0000 fffff80e`81bce000 cmimcext cmimcext.sys Thu Aug 19 18:55:44 2010 (4C6DB670)
fffff80e`81cc0000 fffff80e`81d77000 cng cng.sys ***** Invalid (A7D172D6)
fffff805`581d0000 fffff805`581e1000 CompositeBus CompositeBus.sys ***** Invalid (DD86440A)
fffff805`57310000 fffff805`5732c000 crashdmp crashdmp.sys ***** Invalid (FEF3C415)
fffff805`57e00000 fffff805`57e94000 csc csc.sys Thu May 23 03:54:40 2030 (71977CC0)
fffff805`581a0000 fffff805`581cc000 dfsc dfsc.sys ***** Invalid (E60CDDBC)
fffff805`57260000 fffff805`5727c000 disk disk.sys ***** Invalid (EB969297)
fffff805`5c4a0000 fffff805`5c4c1000 drmk drmk.sys Sun Jun 11 00:38:03 2000 (394317AB)
fffff805`57340000 fffff805`5734f000 dump_diskdump dump_diskdump.sys ***** Invalid (A0767573)
fffff805`573d0000 fffff805`573ed000 dump_dumpfve dump_dumpfve.sys Fri Dec 11 15:20:41 2015 (566B3019)
fffff805`57380000 fffff805`573ad000 dump_storahci dump_storahci.sys ***** Invalid (E94316B7)
fffff805`57600000 fffff805`5793e000 dxgkrnl dxgkrnl.sys Tue Sep 01 18:50:46 2020 (5F4ED046)
fffff805`57450000 fffff805`57500000 eamonm eamonm.sys Thu Sep 20 03:30:09 2018 (5BA34C81)
fffff805`57530000 fffff805`5755d000 ehdrv ehdrv.sys Wed Aug 08 15:54:47 2018 (5B6B4A87)
fffff805`57560000 fffff805`5756c000 em000k_64 em000k_64.dll Wed Jun 21 03:44:58 2017 (594A23FA)
fffff805`57570000 fffff805`575b3000 em006_64 em006_64.dll Mon Jan 07 10:31:01 2019 (5C3370B5)
fffff805`57a00000 fffff805`57a68000 em008k_64 em008k_64.dll Mon Dec 17 09:30:28 2018 (5C17B304)
fffff805`575c0000 fffff805`575fe000 em018k_64 em018k_64.dll Tue Feb 26 05:59:55 2019 (5C751C2B)
fffff805`57a70000 fffff805`57b0e000 em042_64 em042_64.dll Tue Nov 27 09:32:36 2018 (5BFD5584)
fffff805`579e0000 fffff805`579f3000 epfw epfw.sys Wed Dec 19 11:55:33 2018 (5C1A7805)
fffff805`57cc0000 fffff805`57cdd000 epfwwfp epfwwfp.sys Wed Dec 19 11:55:33 2018 (5C1A7805)
fffff805`57420000 fffff805`57435000 filecrypt filecrypt.sys Sun Aug 13 10:30:12 2034 (798A13F4)
fffff80e`827f0000 fffff80e`8280a000 fileinfo fileinfo.sys ***** Invalid (85B4F747)
fffff80e`81a30000 fffff80e`81aa0000 FLTMGR FLTMGR.SYS Thu Jul 24 00:42:54 1975 (0A74874E)
fffff80e`82ae0000 fffff80e`82aed000 Fs_Rec Fs_Rec.sys ***** Invalid (CFF89B5E)
fffff80e`830d0000 fffff80e`83198000 fvevol fvevol.sys Wed Sep 15 11:15:15 1993 (2C973183)
fffff80e`83010000 fffff80e`83088000 fwpkclnt fwpkclnt.sys ***** Invalid (DF926DC9)
fffff805`58160000 fffff805`5816a000 gpuenergydrv gpuenergydrv.sys ***** Invalid (DA1C403F)
fffff805`55678000 fffff805`5570f000 hal hal.dll ***** Invalid (FBE06E6E)
fffff805`5c410000 fffff805`5c42f000 HDAudBus HDAudBus.sys Fri Aug 17 18:16:38 1979 (121B41C6)
fffff805`5a900000 fffff805`5a968000 HdAudio HdAudio.sys Wed Aug 26 11:46:58 2015 (55DDDF72)
fffff805`5aa70000 fffff805`5aaab000 HIDCLASS HIDCLASS.SYS Sun Sep 30 14:58:36 1979 (1255155C)
fffff805`5aab0000 fffff805`5aac3000 HIDPARSE HIDPARSE.SYS Sun Dec 27 00:38:28 2015 (567F7954)
fffff805`5aa50000 fffff805`5aa62000 hidusb hidusb.sys Sun Jul 18 13:59:02 1971 (02E73966)
fffff805`58150000 fffff805`5815a000 HWiNFO64A HWiNFO64A.SYS Tue Mar 31 05:51:32 2015 (551A6E24)
fffff80e`823e0000 fffff80e`82423000 intelpep intelpep.sys ***** Invalid (83F72A94)
fffff805`58f90000 fffff805`58fce000 intelppm intelppm.sys Wed Feb 08 18:16:35 2012 (4F330253)
fffff805`57230000 fffff805`57241000 iorate iorate.sys ***** Invalid (A096CD2D)
fffff805`55800000 fffff805`5580b000 kd kd.dll Fri Feb 09 10:20:45 2035 (7A776DCD)
fffff805`5c4d0000 fffff805`5c546000 ks ks.sys Mon May 03 21:15:30 2027 (6BD926B2)
fffff80e`82100000 fffff80e`8212b000 ksecdd ksecdd.sys ***** Invalid (C0930B22)
fffff80e`82cf0000 fffff80e`82d22000 ksecpkg ksecpkg.sys ***** Invalid (CD0C90B8)
fffff805`5a970000 fffff805`5a97f000 ksthunk ksthunk.sys ***** Invalid (D43D6B7C)
fffff805`58260000 fffff805`5826c000 loop loop.sys Fri Aug 27 04:16:02 2027 (6C7125C2)
fffff805`5ab50000 fffff805`5ab54b80 lvbflt64 lvbflt64.sys Mon Oct 22 22:10:38 2012 (5085FC9E)
fffff805`58170000 fffff805`58196000 mbae64 mbae64.sys Tue Nov 20 07:32:14 2018 (5BF3FECE)
fffff80e`81f00000 fffff80e`8208e000 mcupdate_GenuineIntel mcupdate_GenuineIntel.dll Wed Dec 26 23:46:12 2001 (3C2AA794)
fffff805`5aaf0000 fffff805`5ab03000 mouclass mouclass.sys ***** Invalid (80F98B92)
fffff805`5aae0000 fffff805`5aaef000 mouhid mouhid.sys Thu Jan 18 04:52:01 2007 (45AF4341)
fffff80e`826e0000 fffff80e`826ff000 mountmgr mountmgr.sys ***** Invalid (A8481DD2)
fffff805`579c0000 fffff805`579d1000 Msfs Msfs.SYS Fri Oct 24 02:27:06 2008 (49016ABA)
fffff80e`82480000 fffff80e`8248b000 msisadrv msisadrv.sys Sun Nov 07 01:38:33 2004 (418DC2E9)
fffff80e`82090000 fffff80e`820f2000 msrpc msrpc.sys ***** Invalid (824F01ED)
fffff80e`82260000 fffff80e`822b1000 mssecflt mssecflt.sys Fri Jun 07 08:17:10 2013 (51B1CF46)
fffff805`58130000 fffff805`58140000 mssmbios mssmbios.sys ***** Invalid (A51D1A67)
fffff805`57200000 fffff805`57225000 mup mup.sys ***** Invalid (D5074BA1)
fffff80e`82af0000 fffff80e`82c43000 ndis ndis.sys Sat Jul 28 03:04:47 2029 (700D408F)
fffff805`5a810000 fffff805`5a81d000 NdisVirtualBus NdisVirtualBus.sys Thu Mar 27 17:31:46 1997 (333AE742)
fffff805`58360000 fffff805`58374000 netbios netbios.sys ***** Invalid (BA5B5FB4)
fffff80e`82c50000 fffff80e`82ce5000 NETIO NETIO.SYS ***** Invalid (C0E588AF)
fffff805`57b60000 fffff805`57b7a000 networx networx.sys Wed Aug 29 14:20:28 2018 (5B86E3EC)
fffff805`57de0000 fffff805`57df5000 npcap npcap.sys Fri Jan 11 10:44:05 2019 (5C38B9C5)
fffff80e`831b0000 fffff80e`831c5000 npf npf.sys Fri Jan 11 10:44:33 2019 (5C38B9E1)
fffff805`579a0000 fffff805`579bc000 Npfs Npfs.SYS Sat Jul 09 15:56:34 1994 (2E1F00F2)
fffff805`58120000 fffff805`5812d000 npsvctrig npsvctrig.sys Mon Feb 23 01:11:04 2037 (7E4D1A78)
fffff805`58100000 fffff805`58112000 nsiproxy nsiproxy.sys Mon Sep 04 03:50:23 1972 (050877BF)
fffff805`54c08000 fffff805`55677000 nt ntkrnlmp.exe ***** Invalid (DEACB3CA)
fffff80e`82850000 fffff80e`82add000 Ntfs Ntfs.sys Mon Jul 12 05:58:44 1971 (02DEDFD4)
fffff80e`81bd0000 fffff80e`81bdc000 ntosext ntosext.sys Fri Mar 03 22:05:50 2028 (6D6B5A0E)
fffff805`57510000 fffff805`5751a000 Null Null.SYS Tue Jan 24 04:50:47 1989 (23DC46F7)
fffff805`5afe0000 fffff805`5c409000 nvlddmkm nvlddmkm.sys Fri Mar 01 02:36:41 2019 (5C78E109)
fffff805`58330000 fffff805`5835b000 pacer pacer.sys ***** Invalid (BD6E6BA5)
fffff80e`82570000 fffff80e`8259f000 partmgr partmgr.sys Mon Jun 19 19:20:15 1995 (2FE6062F)
fffff80e`82490000 fffff80e`824fb000 pci pci.sys Sat Mar 30 03:50:00 1991 (27F44328)
fffff80e`82460000 fffff80e`82474000 pcw pcw.sys ***** Invalid (C6C870F7)
fffff80e`82520000 fffff80e`8254e000 pdc pdc.sys Tue Apr 02 18:59:08 2024 (660C8DBC)
fffff805`5c430000 fffff805`5c495000 portcls portcls.sys ***** Invalid (8DFE43A2)
fffff80e`81a00000 fffff80e`81a18000 PSHED PSHED.dll Tue Nov 07 10:06:38 2034 (79FB7D7E)
fffff805`58380000 fffff805`583fa000 rdbss rdbss.sys Thu Dec 29 02:55:33 1983 (1A514075)
fffff805`57d90000 fffff805`57ddf000 rdyboost rdyboost.sys Sun Aug 26 18:38:42 2018 (5B832BF2)
fffff805`5a620000 fffff805`5a735000 rt640x64 rt640x64.sys Fri Jun 15 00:10:42 2018 (5B233C42)
fffff80e`822c0000 fffff80e`822da000 SgrmAgent SgrmAgent.sys ***** Invalid (F7CA286D)
fffff80e`82220000 fffff80e`8222f000 SleepStudyHelper SleepStudyHelper.sys ***** Invalid (D42ABCCC)
fffff80e`825a0000 fffff80e`82643000 spaceport spaceport.sys ***** Invalid (D550BE88)
fffff80e`82700000 fffff80e`8272d000 storahci storahci.sys ***** Invalid (E94316B7)
fffff80e`82730000 fffff80e`827cb000 storport storport.sys Sun Dec 23 08:22:26 2007 (476E6112)
fffff805`5a820000 fffff805`5a82c000 swenum swenum.sys ***** Invalid (8B90F92A)
fffff805`57d60000 fffff805`57d82000 SysmonDrv SysmonDrv.sys Mon Feb 18 16:48:24 2019 (5C6B2828)
fffff805`57440000 fffff805`5744e000 tbs tbs.sys Wed Dec 03 00:21:40 2036 (7DE0F3E4)
fffff80e`82d30000 fffff80e`8300b000 tcpip tcpip.sys Tue Feb 07 05:38:50 2023 (63E22A3A)
fffff805`57b40000 fffff805`57b50000 TDI TDI.SYS ***** Invalid (E9708B47)
fffff805`57b10000 fffff805`57b37000 tdx tdx.sys ***** Invalid (AFDABF6D)
fffff80e`821c0000 fffff80e`821e7000 tm tm.sys ***** Invalid (F1AC5A2F)
fffff805`5a7c0000 fffff805`5a7ff000 ucx01000 ucx01000.sys Sat Jan 03 10:23:30 2037 (7E0A5F72)
fffff805`58f70000 fffff805`58f85000 umbus umbus.sys ***** Invalid (83197D71)
fffff805`5ab10000 fffff805`5ab41000 usbccgp usbccgp.sys ***** Invalid (82D4CB5C)
fffff805`5a8f0000 fffff805`5a8fe000 USBD USBD.SYS ***** Invalid (C7E3B3E8)
fffff805`5a600000 fffff805`5a61c000 usbehci usbehci.sys ***** Invalid (B398C408)
fffff805`5a860000 fffff805`5a8e8000 usbhub usbhub.sys Mon Jun 09 02:01:34 1997 (339B9C3E)
fffff805`5a980000 fffff805`5aa13000 UsbHub3 UsbHub3.sys Sat Jan 23 04:05:51 2010 (4B5ABBEF)
fffff805`5c570000 fffff805`5c5eb000 USBPORT USBPORT.SYS Sat May 29 20:01:47 1999 (37507FEB)
fffff805`5aa20000 fffff805`5aa45000 USBSTOR USBSTOR.SYS ***** Invalid (EC3DCED0)
fffff805`5c550000 fffff805`5c560000 usbuhci usbuhci.sys Sun Oct 02 19:41:39 2011 (4E88F6B3)
fffff805`5a740000 fffff805`5a7b8000 USBXHCI USBXHCI.SYS ***** Invalid (DD7F1F39)
fffff805`58000000 fffff805`580fd000 VBoxDrv VBoxDrv.sys Fri Jan 25 13:59:37 2019 (5C4B5C99)
fffff805`57c70000 fffff805`57cb4000 VBoxNetLwf VBoxNetLwf.sys Fri Jan 25 13:59:03 2019 (5C4B5C77)
fffff805`57fc0000 fffff805`57ff3000 VBoxUSBMon VBoxUSBMon.sys Fri Jan 25 13:59:03 2019 (5C4B5C77)
fffff80e`82500000 fffff80e`82512000 vdrvroot vdrvroot.sys ***** Invalid (8ED5F3A9)
fffff80e`81d80000 fffff80e`81e05000 VerifierExt VerifierExt.sys ***** Invalid (FFC45489)
fffff805`58270000 fffff805`582f4000 Vid Vid.sys ***** Invalid (F42473AC)
fffff80e`82650000 fffff80e`82669000 volmgr volmgr.sys ***** Invalid (91784A41)
fffff80e`82670000 fffff80e`826d3000 volmgrx volmgrx.sys Tue Dec 25 16:43:09 2012 (50DA1DED)
fffff805`57cf0000 fffff805`57d5d000 volsnap volsnap.sys ***** Invalid (AC1C69A4)
fffff80e`831a0000 fffff80e`831ab000 volume volume.sys ***** Invalid (CB3F72CF)
fffff80e`823c0000 fffff80e`823da000 vwififlt vwififlt.sys ***** Invalid (B1239F86)
fffff805`57940000 fffff805`57956000 watchdog watchdog.sys ***** Invalid (8D7A0DF0)
fffff805`5aad0000 fffff805`5aada000 wdcsam64 wdcsam64.sys Fri Oct 09 16:31:13 2015 (56182411)
fffff80e`81e10000 fffff80e`81ee1000 Wdf01000 Wdf01000.sys ***** Invalid (AF1CEDD2)
fffff80e`831e0000 fffff80e`831f3000 WDFLDR WDFLDR.SYS Thu Jan 31 16:00:20 2008 (47A236E4)
fffff80e`82130000 fffff80e`82141000 werkernel werkernel.sys Sat Aug 14 07:55:58 1971 (030A7CCE)
fffff80e`83090000 fffff80e`830c0000 wfplwfs wfplwfs.sys ***** Invalid (8AE4C0AC)
fffff80e`82430000 fffff80e`82446000 WindowsTrustedRT WindowsTrustedRT.sys ***** Invalid (BD0B79F0)
fffff80e`82450000 fffff80e`8245b000 WindowsTrustedRTProxy WindowsTrustedRTProxy.sys Tue May 14 12:37:30 2013 (5192684A)
fffff805`58300000 fffff805`5831e000 winhvr winhvr.sys ***** Invalid (BDDA6167)
fffff80e`823b0000 fffff80e`823bc000 WMILIB WMILIB.SYS Tue Apr 19 22:19:11 2033 (7710989F)
fffff80e`82810000 fffff80e`8284e000 Wof Wof.sys Mon Nov 14 18:36:29 1988 (237F6DFD)
fffff80e`82200000 fffff80e`82210000 WppRecorder WppRecorder.sys ***** Invalid (E5178B49)
fffff805`57f30000 fffff805`57fb2000 zam64 zam64.sys Wed Aug 17 13:06:53 2016 (57B499AD)
fffff805`57ea0000 fffff805`57f22000 zamguard64 zamguard64.sys Wed Aug 17 13:06:53 2016 (57B499AD)

Unloaded modules:
fffff80e`827d0000 fffff80e`827ed000 EhStorClass.
Timestamp: unavailable (00000000)
Checksum: 00000000
ImageSize: 0001D000
fffff805`581d0000 fffff805`581ec000 dam.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ImageSize: 0001C000
fffff805`57b80000 fffff805`57b8b000 CsNdisLWF.sy
Timestamp: unavailable (00000000)
Checksum: 00000000
ImageSize: 0000B000
fffff80e`823d0000 fffff80e`823d9000 MbamElam.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ImageSize: 00009000
fffff80e`823c0000 fffff80e`823c9000 eelam.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ImageSize: 00009000
fffff805`57250000 fffff805`57260000 hwpolicy.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ImageSize: 00010000
Bugcheck code 000000C4
Arguments 00000000`00002004 ffff8b06`eaf51b28 fffff805`5ab50208 ffffc888`5354d320
1: kd> k
# Child-SP RetAddr Call Site
00 ffffc888`5354d258 fffff805`55537e63 nt!KeBugCheckEx
01 ffffc888`5354d260 fffff805`54f1183b nt!VerifierBugCheckIfAppropriate+0xdf
02 ffffc888`5354d2a0 fffff805`5552f42f nt!VfReportIssueWithOptions+0x103
03 ffffc888`5354d2f0 fffff805`5553fae9 nt!VfCheckImageCompliance+0x28b
04 ffffc888`5354d370 fffff805`5552b421 nt!VfSuspectDriversLoadCallback+0x345
05 ffffc888`5354d3c0 fffff805`552730ef nt!VfDriverLoadImage+0x24fd
06 ffffc888`5354d410 fffff805`5526d23b nt!MmLoadSystemImageEx+0x7ff
07 ffffc888`5354d5c0 fffff805`552f6e7b nt!IopLoadDriver+0x21b
08 ffffc888`5354d7a0 fffff805`552d9746 nt!PipCallDriverAddDeviceQueryRoutine+0x1b7
09 ffffc888`5354d840 fffff805`552d9209 nt!PnpCallDriverQueryServiceHelper+0x1d2
0a ffffc888`5354d8f0 fffff805`552d872b nt!PipCallDriverAddDevice+0x59d
0b ffffc888`5354daa0 fffff805`552eac26 nt!PipProcessDevNodeTree+0x1af
0c ffffc888`5354db60 fffff805`54d6229d nt!PiProcessReenumeration+0x82
0d ffffc888`5354dbb0 fffff805`54cbc1ea nt!PnpDeviceActionWorker+0x1dd
0e ffffc888`5354dc70 fffff805`54c8ebc5 nt!ExpWorkerThread+0x16a
0f ffffc888`5354dd10 fffff805`54dc2a3c nt!PspSystemThreadStartup+0x55
10 ffffc888`5354dd60 00000000`00000000 nt!KiStartSystemThread+0x1c

philc43 · Mar 15, 2019

@jcgriff2 Out of interest I ran the WinDBG analysis of the mini-dump and it very clearly shows the problem driver lvbflt64.sys. I have attached the output below. I believe I am using a more up to date version of WinDBG.

Code:

Microsoft (R) Windows Debugger Version 10.0.18317.1001 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\coldr\Downloads\031219-13031-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available


************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\SymCache*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\SymCache*https://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 17763 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 17763.1.amd64fre.rs5_release.180914-1434
Machine Name:
Kernel base = 0xfffff805`54c08000 PsLoadedModuleList = 0xfffff805`550239b0
Debug session time: Wed Mar 13 05:38:37.028 2019 (UTC + 0:00)
System Uptime: 0 days 0:00:20.823
Loading Kernel Symbols
...............................................................
................................................................
....................
Loading User Symbols
Loading unloaded module list
......
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff805`54dbb5e0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffc888`5354d260=00000000000000c4
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 0000000000002004, Code Integrity Issue: The image contains a section that is not page aligned.
Arg2: ffff8b06eaf51b28, The image file name (Unicode string).
Arg3: fffff8055ab50208, The address of the section header.
Arg4: ffffc8885354d320, The section name (UTF-8 encoded string).

Debugging Details:
------------------

[HI]Unable to load image \SystemRoot\System32\drivers\lvbflt64.sys[/HI], Win32 error 0n2

ffff8b06ea5fcb10: Unable to read TableSize for resource

ffff8b06ea5fcb10: Unable to read TableSize for resource

ffff8b06ea5fcb10: Unable to read TableSize for resource

ffff8b06ea5fcb10: Unable to read TableSize for resource

KEY_VALUES_STRING: 1


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 17763.1.amd64fre.rs5_release.180914-1434

DUMP_TYPE: 2

BUGCHECK_P1: 2004

BUGCHECK_P2: ffff8b06eaf51b28

BUGCHECK_P3: fffff8055ab50208

BUGCHECK_P4: ffffc8885354d320

BUGCHECK_STR: 0xc4_2004

[HI]FAULTING_IP:
lvbflt64+208
fffff805`5ab50208 2e7465 hnt je lvbflt64+0x270 (fffff805`5ab50270)[/HI]

[HI]FOLLOWUP_IP:
lvbflt64+208
fffff805`5ab50208 2e7465 hnt je lvbflt64+0x270 (fffff805`5ab50270)[/HI]

CPU_COUNT: 4

CPU_MHZ: fe2

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 17

CPU_STEPPING: a

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP

PROCESS_NAME: System

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: DESKTOP-PH66QL2

ANALYSIS_SESSION_TIME: 03-15-2019 20:38:20.0527

ANALYSIS_VERSION: 10.0.18317.1001 amd64fre

LOCK_ADDRESS: fffff8055503dc20 -- (!locks fffff8055503dc20)

ffff8b06ea5fcb10: Unable to read TableSize for resource
1 total locks

PNP_TRIAGE_DATA:
Lock address : 0xfffff8055503dc20
Thread Count : 1
Thread address: 0xffff8b06e8139080
Thread wait : 0x534

LAST_CONTROL_TRANSFER: from fffff80555537e63 to fffff80554dbb5e0

STACK_TEXT:
ffffc888`5354d258 fffff805`55537e63 : 00000000`000000c4 00000000`00002004 ffff8b06`eaf51b28 fffff805`5ab50208 : nt!KeBugCheckEx
ffffc888`5354d260 fffff805`54f1183b : fffff805`5500e2e4 00000000`00002004 ffff8b06`eaf51b28 fffff805`5ab50208 : nt!VerifierBugCheckIfAppropriate+0xdf
ffffc888`5354d2a0 fffff805`5552f42f : 00000000`00000000 ffffc888`5354d340 fffff805`5ab50208 fffff805`5553026e : nt!VfReportIssueWithOptions+0x103
ffffc888`5354d2f0 fffff805`5553fae9 : ffff8b06`eaf51ad0 ffff8b06`eaf51ad0 00000000`00000001 ffff8b06`e80445b0 : nt!VfCheckImageCompliance+0x28b
ffffc888`5354d370 fffff805`5552b421 : ffff8b06`eaf51ad0 00000000`00000000 ffff8b06`ed14cb00 fffff805`54c9b121 : nt!VfSuspectDriversLoadCallback+0x345
ffffc888`5354d3c0 fffff805`552730ef : fffff805`5ab50130 ffffc888`5354d510 ffff8b06`ed14cb10 00000000`00000000 : nt!VfDriverLoadImage+0x24fd
ffffc888`5354d410 fffff805`5526d23b : ffffc888`5354d618 00000000`00000000 00000000`00000000 00000000`00000001 : nt!MmLoadSystemImageEx+0x7ff
ffffc888`5354d5c0 fffff805`552f6e7b : 00000000`00000000 00000000`00000000 00000000`00000004 ffffc98f`00000004 : nt!IopLoadDriver+0x21b
ffffc888`5354d7a0 fffff805`552d9746 : ffffffff`80000301 ffffc98f`61121890 ffff8b06`f26c1600 00000000`0000000d : nt!PipCallDriverAddDeviceQueryRoutine+0x1b7
ffffc888`5354d840 fffff805`552d9209 : 00000000`00000000 ffffc888`5354d950 ffff8b06`f27cbb70 fffff805`00000002 : nt!PnpCallDriverQueryServiceHelper+0x1d2
ffffc888`5354d8f0 fffff805`552d872b : ffff8b06`f27cbb70 ffffc888`5354db18 ffff8b06`f27cbb70 00000000`00000000 : nt!PipCallDriverAddDevice+0x59d
ffffc888`5354daa0 fffff805`552eac26 : ffff8b06`eaf2b300 ffffc888`5354dc01 ffffc888`5354dbb0 fffff805`00000002 : nt!PipProcessDevNodeTree+0x1af
ffffc888`5354db60 fffff805`54d6229d : ffff8b01`00000003 ffff8b06`e8ade9a0 ffff8b06`eaf2b310 00000000`00000000 : nt!PiProcessReenumeration+0x82
ffffc888`5354dbb0 fffff805`54cbc1ea : ffff8b06`e8139080 fffff805`5503c540 ffff8b06`e8102c50 ffff8b06`00000000 : nt!PnpDeviceActionWorker+0x1dd
ffffc888`5354dc70 fffff805`54c8ebc5 : ffff8b06`e8139080 ffff8b06`e809a080 ffff8b06`e8139080 00000000`00000000 : nt!ExpWorkerThread+0x16a
ffffc888`5354dd10 fffff805`54dc2a3c : ffffdf00`2b560180 ffff8b06`e8139080 fffff805`54c8eb70 00000000`00000000 : nt!PspSystemThreadStartup+0x55
ffffc888`5354dd60 00000000`00000000 : ffffc888`5354e000 ffffc888`53548000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x1c


THREAD_SHA1_HASH_MOD_FUNC: 990c494c2f02cddc85cf3de975b478a8b00029fc

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 1c4ef6f14787cb065eb702f9aa5923f11eaac374

THREAD_SHA1_HASH_MOD: aaa5a324bf1bd3082ad2b464ee2ed2f6d50e564c

FAULT_INSTR_CODE: 7865742e

SYMBOL_NAME: lvbflt64+208

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: lvbflt64

IMAGE_NAME: lvbflt64.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5085fc9e

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 208

FAILURE_BUCKET_ID: 0xc4_2004_VRF_lvbflt64!unknown_function

BUCKET_ID: 0xc4_2004_VRF_lvbflt64!unknown_function

PRIMARY_PROBLEM_CLASS: 0xc4_2004_VRF_lvbflt64!unknown_function

TARGET_TIME: 2019-03-13T05:38:37.000Z

OSBUILD: 17763

OSSERVICEPACK: 348

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: unknown_date

BUILDDATESTAMP_STR: 180914-1434

BUILDLAB_STR: rs5_release

BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434

ANALYSIS_SESSION_ELAPSED_TIME: 67e4

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0xc4_2004_vrf_lvbflt64!unknown_function

FAILURE_ID_HASH: {f24e01ce-9017-0625-a2bc-cfcf81ecb7d0}

Followup: MachineOwner
---------

The rawstack can be examined for a better look at what is going on:

Code:

1: kd> .load pde;!dpx
=========================================================================================
PDE v11.3 - Copyright 2017 Andrew Richards
=========================================================================================
Start memory scan  : 0xffffc8885354d258 ($csp)
End memory scan    : 0xffffc8885354e000 (Kernel Stack Base)

               rsp : 0xffffc8885354d258 : 0xfffff80555537e63 : nt!VerifierBugCheckIfAppropriate+0xdf
0xffffc8885354d258 : 0xfffff80555537e63 : nt!VerifierBugCheckIfAppropriate+0xdf
0xffffc8885354d278 : [HI]0xfffff8055ab50208 : lvbflt64+0x208[/HI]
0xffffc8885354d288 : 0xfffff80e81d91ed4 : VerifierExt!XdvpQueryExtensionObject+0x58
0xffffc8885354d298 : 0xfffff80554f1183b : nt!VfReportIssueWithOptions+0x103
0xffffc8885354d2a0 : 0xfffff8055500e2e4 : nt!ViPendingProbability+0xc
0xffffc8885354d2b8 : [HI]0xfffff8055ab50208 : lvbflt64+0x208[/HI]
0xffffc8885354d2d0 : 0xfffff8055ab501e8 : lvbflt64+0x1e8
0xffffc8885354d2d8 : 0xffff8b06eaf51ad0 : 0xfffff805550239b0 : nt!PsLoadedModuleList
0xffffc8885354d2e0 : 0xfffff8055ab50100 : lvbflt64+0x100
0xffffc8885354d2e8 : 0xfffff8055552f42f : nt!VfCheckImageCompliance+0x28b
0xffffc8885354d300 : 0xfffff8055ab50208 : lvbflt64+0x208
0xffffc8885354d308 : 0xfffff8055553026e : nt!VfNotifyVerifierExtensions+0x62
0xffffc8885354d318 : 0xfffff8055500e2e4 : nt!ViPendingProbability+0xc
0xffffc8885354d368 : 0xfffff8055553fae9 : nt!VfSuspectDriversLoadCallback+0x345
0xffffc8885354d370 : 0xffff8b06eaf51ad0 : 0xfffff805550239b0 : nt!PsLoadedModuleList
0xffffc8885354d378 : 0xffff8b06eaf51ad0 : 0xfffff805550239b0 : nt!PsLoadedModuleList
0xffffc8885354d3a8 : 0xfffff8055ab50000 : lvbflt64
0xffffc8885354d3c0 : 0xffff8b06eaf51ad0 : 0xfffff805550239b0 : nt!PsLoadedModuleList
0xffffc8885354d3d8 : 0xfffff80554c9b121 : nt!MiSetImageProtection+0x41
0xffffc8885354d3e8 : 0xffff8b06eaf51ad0 : 0xfffff805550239b0 : nt!PsLoadedModuleList
0xffffc8885354d3f8 : 0xfffff80555529eb0 :  !du "VerifierExt.sys"
0xffffc8885354d400 : 0xffff8b06eaf51ad0 : 0xfffff805550239b0 : nt!PsLoadedModuleList
0xffffc8885354d408 : 0xfffff805552730ef : nt!MmLoadSystemImageEx+0x7ff
0xffffc8885354d410 : 0xfffff8055ab50130 : lvbflt64+0x130
0xffffc8885354d438 : 0xffffc8885354d4c8 : 0xffff8b06eaf51ad0 : 0xfffff805550239b0 : nt!PsLoadedModuleList
0xffffc8885354d468 : 0xffff8b06eaf51ad0 : 0xfffff805550239b0 : nt!PsLoadedModuleList
0xffffc8885354d488 : 0xfffff8055ab52980 : 0xfffff80554cc2070 : nt!RtlInitUnicodeString
0xffffc8885354d4a8 : 0xffffc98f61de8fda :  !du "lvbflt64.sys"
0xffffc8885354d4b8 : 0xffffc98f61de8fa0 :  !du "\SystemRoot\System32\drivers\lvbflt64.sys"
0xffffc8885354d4c0 : 0xffffc8885354d4d8 : 0xffffc98f61de8fa0 :  !du "\SystemRoot\System32\drivers\lvbflt64.sys"
0xffffc8885354d4c8 : 0xffff8b06eaf51ad0 : 0xfffff805550239b0 : nt!PsLoadedModuleList
0xffffc8885354d4d8 : 0xffffc98f61de8fa0 :  !du "\SystemRoot\System32\drivers\lvbflt64.sys"
0xffffc8885354d4e0 : 0xfffff80555351d00 :  !du "\Driver\"
0xffffc8885354d4e8 : 0xfffff80554c4b9b4 : nt!RtlAppendUnicodeToString+0x64
0xffffc8885354d4f0 : 0xffffc98f61f98fd0 :  !du "\drivers\lvbflt64.sys"
0xffffc8885354d528 : 0xfffff80554d1b2b5 : nt!ExAcquireResourceExclusiveLite+0xb5
0xffffc8885354d530 : 0xfffff8055503ea60 : nt!IopDriverLoadResource
0xffffc8885354d538 : 0xfffff8055526da8b : nt!IopGetDriverNameFromKeyNode+0x15f
0xffffc8885354d558 : 0xffffc98f61f98fd0 :  !du "\drivers\lvbflt64.sys"
0xffffc8885354d568 : 0xfffff8055503eac0 : nt!IopDriverLoadResource+0x60
0xffffc8885354d578 : 0xffff8b06ee238f60 : 0xfffff80e81a33a80 : FLTMGR!FltpPassThroughCompletion
0xffffc8885354d588 : 0xffffc98f61f84fe0 :  !du "CompFilter64"
0xffffc8885354d5b8 : 0xfffff8055526d23b : nt!IopLoadDriver+0x21b
0xffffc8885354d610 : 0xfffff80555351d00 :  !du "\Driver\"
0xffffc8885354d620 : 0xffffc98f61de8fa0 :  !du "\SystemRoot\System32\drivers\lvbflt64.sys"
0xffffc8885354d638 : 0xffffc98f61f84fe0 :  !du "CompFilter64"
0xffffc8885354d650 : 0xffff8b06ee23afd0 :  !du "\Driver\CompFilter64"
0xffffc8885354d660 : 0xfffff80555353c30 :  !du "Start"
0xffffc8885354d688 : 0xfffff80554dbf2e0 : nt!KiServiceLinkage
0xffffc8885354d738 : 0xfffff80555329ce0 : nt!PnpGetServiceStartType+0x5c
0xffffc8885354d748 : 0xffffc98f61121890 :  !du "CompFilter64"
0xffffc8885354d758 : 0xffff8b06ee228f60 :  !da "33333333333333333333333333333333333333333333333333333333333333333333333333333333..."
0xffffc8885354d798 : 0xfffff805552f6e7b : nt!PipCallDriverAddDeviceQueryRoutine+0x1b7
0xffffc8885354d7f0 : 0xffffc98f61121890 :  !du "CompFilter64"
0xffffc8885354d800 : 0xffff8b06ee236fd0 :  !du "\Driver\CompFilter64"
0xffffc8885354d838 : 0xfffff805552d9746 : nt!PnpCallDriverQueryServiceHelper+0x1d2
0xffffc8885354d848 : 0xffffc98f61121890 :  !du "CompFilter64"
0xffffc8885354d898 : 0xfffff8055520c0a2 : nt!CmOpenInstallerClassRegKey+0x3a
0xffffc8885354d8e8 : 0xfffff805552d9209 : nt!PipCallDriverAddDevice+0x59d
0xffffc8885354d910 : 0xffff8b06f26c1610 :  !du "USB\VID_046D&PID_0821\5100D8E0"
0xffffc8885354d970 : 0xffffc98f61121890 :  !du "CompFilter64"
0xffffc8885354d988 : 0xfffff8055503e760 : nt!PiDependencyRelationsLock+0x60
0xffffc8885354d9a8 : 0xffffc8885354da00 :  !du "{36fc9e60-c465-11cf-8056-444553540000}"
0xffffc8885354da00 : 0x006600360033007b :  !du "{36fc9e60-c465-11cf-8056-444553540000}"
0xffffc8885354da08 : 0x0036006500390063 :  !du "c9e60-c465-11cf-8056-444553540000}"
0xffffc8885354da10 : 0x00340063002d0030 :  !du "0-c465-11cf-8056-444553540000}"
0xffffc8885354da18 : 0x0031002d00350036 :  !du "65-11cf-8056-444553540000}"
0xffffc8885354da20 : 0x002d006600630031 :  !du "1cf-8056-444553540000}"
0xffffc8885354da28 : 0x0036003500300038 :  !du "8056-444553540000}"
0xffffc8885354da30 : 0x003400340034002d :  !du "-444553540000}"
0xffffc8885354da38 : 0x0035003300350035 :  !du "553540000}"
0xffffc8885354da40 : 0x0030003000300034 :  !du "40000}"
0xffffc8885354da98 : 0xfffff805552d872b : nt!PipProcessDevNodeTree+0x1af
0xffffc8885354db10 : 0xfffff805552fafa0 : nt!PiMarkDeviceTreeForReenumerationWorker
0xffffc8885354db58 : 0xfffff805552eac26 : nt!PiProcessReenumeration+0x82
0xffffc8885354dba8 : 0xfffff80554d6229d : nt!PnpDeviceActionWorker+0x1dd
0xffffc8885354dbd8 : 0xfffff80554cbcca9 : nt!KeRemovePriQueue+0x6f9
0xffffc8885354dc28 : 0xfffff80555165240 : nt!ExNode0
0xffffc8885354dc40 : 0xfffff80555165240 : nt!ExNode0
0xffffc8885354dc60 : 0xfffff80554d620c0 : nt!PnpDeviceActionWorker
0xffffc8885354dc68 : 0xfffff80554cbc1ea : nt!ExpWorkerThread+0x16a
0xffffc8885354dc78 : 0xfffff8055503c540 : nt!PnpDeviceEnumerationWorkItem
0xffffc8885354dca0 : 0xffff8b06e80566f0 : 0xffff8b06e80aac00 : 0xfffff80555045840 : nt!MiSystemPartition
0xffffc8885354dcf0 : 0xfffff80554cbc080 : nt!ExpWorkerThread
0xffffc8885354dd08 : 0xfffff80554c8ebc5 : nt!PspSystemThreadStartup+0x55
0xffffc8885354dd58 : 0xfffff80554dc2a3c : nt!KiStartSystemThread+0x1c
0xffffc8885354dd70 : 0xfffff80554c8eb70 : nt!PspSystemThreadStartup

MrPepka · Mar 15, 2019

@philc43
How did you get the 18317.1001 windbg version? When I downloaded the SDK from the Microsoft website and installed the windbg attached to it, the debugger installed itself in a different (lower than yours) version than yours (17763.132). Do you have Windows 10?

philc43 · Mar 15, 2019

I don't use the SDK anymore. I have switched to the WinDBG Preview app available from the MS Store. This has been available since around August 2017 and appears to be the one that receives the improvements that MS provide for WinDBG before they add them to the desktop version.

In the example that @jcgriff2 was working on he would have found the driver if he had done a dps command on the rawstack. WinDBG Preview saves all that extra work by correctly identifying the fault and reporting it in the automated bugcheck analysis.

jcgriff2 · Mar 15, 2019

@philc43 - can you give us a link to the Windbg that you use, please?

Now all of this makes sense to me.

Remember a few years back when Windbg ran very, very slow? I continued to use prior faster versions and paid dearly for it as 2 different versions of Windbg would get 2 different results as we have seen here today.

Thanks,

John

philc43 · Mar 16, 2019

Here are some links to get you going. As you get it from the MS Store App it will automatically give you the latest version and update whenever there is a new version released.

New WinDbg available in preview!

WinDbg Preview - Installation - Windows drivers

ravenize · Mar 16, 2019

jcgriff2 said:
Those are 2 different dump file outputs -- look at the time of the BSODs, which I have highlighted in yellow.

They are 2 different dumps it appears.

John

Looking at my minidump folder I have only one minidump with this name 031219-13031-01, also note the exact times. These are all driver verifier tests, I never did a driver verifier test on the 13'th. Therefore microsoft WinDBG also failed to pull the date & time correctly, note the name of the actual file has the correct date in it as well
Microsoft: Wed Mar 13 01:38:37.028
031219-13031-01.dmp
Whocrashed: Tue 3/12/2019 10:38:37 PM
031219-13031-01.dmp

Its looking a lot less like WinDBG should be trusted on its own

Here is my latest dump without windows verifier enabled:

ravenize · Mar 16, 2019

Regarding WinDBG failures, please also note the exact same bug check code in both WinDBG and Whocrashed:

Bugcheck code 000000C4
Arguments 0000000000002004 ffff8b06eaf51b28 fffff8055ab50208 ffffc8885354d320

ravenize · Mar 16, 2019

These are the dumps for the latest according to Whocrashed:

On Sat 3/16/2019 4:15:01 AM your computer crashed or a problem was reported
crash dump file: C:\Windows\Minidump\031619-11250-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x1B35E0)
Bugcheck code: 0x18 (0x0, 0xFFFFE209C26E7C50, 0x2, 0xFFFFFFFFFFFFFFFF)
Error: REFERENCE_BY_POINTER
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that the reference count of an object is illegal for the current state of the object.
This bug check belongs to the crash dump test that you have performed with WhoCrashed or other software. It means that a crash dump file was properly written out.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.

On Sat 3/16/2019 4:15:01 AM your computer crashed or a problem was reported
crash dump file: C:\Windows\MEMORY.DMP
This was probably caused by the following module: afd.sys (afd+0x59608)
Bugcheck code: 0x18 (0x0, 0xFFFFE209C26E7C50, 0x2, 0xFFFFFFFFFFFFFFFF)
Error: REFERENCE_BY_POINTER
file path: C:\Windows\system32\drivers\afd.sys
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: Ancillary Function Driver for WinSock
Bug check description: This indicates that the reference count of an object is illegal for the current state of the object.
This bug check belongs to the crash dump test that you have performed with WhoCrashed or other software. It means that a crash dump file was properly written out.
The crash took place in a Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time.

ravenize · Mar 16, 2019

I am still using peerblock 1.2 in compatibility mode for windows 7, which had failed the driver verifier... I had left qbittorrent running all night; that was it, peerblock running as usual. Using the latest 2018 drivers for my network card. Peerblock loads via task scheduler, it was set to "configure for: Windows Vista, Windows Server 2008" I will try for "Windows 7" and see what happens. The executable ITSELF is set for compatibility mode with windows 7.

ravenize · Mar 16, 2019

Evnt logs immediately after rebooting from the crash

1. The NetTcpActivator service depends on the NetTcpPortSharing service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

2. A timeout was reached (30000 milliseconds) while waiting for the MSMQ service to connect.

3. The MSMQ service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

4. Faulting application name: bad_module_info, version: 0.0.0.0, time stamp: 0x00000000
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000409
Fault offset: 0x00007ffc664c6848
Faulting process id: 0x410
Faulting application start time: 0x01d4dc3abf852546
Faulting application path: bad_module_info
Faulting module path: unknown
Report Id: 32cd450d-32cd-4bed-b151-3f8e1b302108
Faulting package full name:
Faulting package-relative application ID:

ravenize · Mar 16, 2019

What does this mean exactly, could you explain? "reference count of an object is illegal for the current state of the object. " I have read REFERENCE_BY_POINTER bugcheck could also be a old driver/program that was designed for windows 7, or malware trying to hook into a system function.

MrPepka · Mar 16, 2019

Could you send full memory dump (memory.dmp)? Perhaps thanks to him, it would be possible to determine what this object causing the blue screen is

ravenize · Mar 16, 2019

Thank you so much , will do and I just saw your latest posts finally, thanks for updating, so it was an outdated windbg, that is all. So Whocrashed can help determine out of date WinDBG software. Hopefully WinDBG will be perfectly accurate from now on. Others complained about Peerblock crashing windows. Another source, however they don't make it entirely clear if he left peerblock disabled when his crashes stopped after disabling driver verifier. Another source had wfplwfs.sys related BSOD, who is using peerblock as well. I did receive that multiple times in the past as well. He is also using Eset security products as am I but they have long since been updated. However the person reviewing his dump on page 2 claims it was a windows driver & another claims it could be a Microsoft raspppoe driver. Just filling this post with tags & sources for people with similar issues. Here is the full memory dump: 03-16-2019-4;15;01-MEMORY.7z

jcgriff2 · Mar 16, 2019

Yes... my version of Windbg is out-of-date, which is why WHOCRASHED picked up the 3rd party driver and Windbg did not. Sorry about the confusion this caused.

You asked about the reference count -

Each time a driver uses a pointer to an object the driver calls a kernel routine
to increment the reference count of the object. When the driver is done with the
pointer the driver calls another kernel routine to decrement the reference count.
Drivers must match calls to the increment and decrement routines. This bugcheck
can occur because an object's reference count goes to zero while there are still
open handles to the object, in which case the fourth parameter indicates the number
of opened handles. It may also occur when the objects reference count drops below zero
whether or not there are open handles to the object, and in that case the fourth parameter
contains the actual value of the pointer references count.

Make any sense?

Regards. . .

jcgriff2

ravenize · Mar 16, 2019

You live, you learn. Will keep all posted if running Peerblock in compatibility mode for windows 7 will work out. I had installed it in compatibility mode and this did not stop whatever is causing the crashing.

MrPepka · Mar 17, 2019

The REFERENCE_BY_POINTER bug check has a value of 0x00000018. This indicates that the reference count of an object is illegal for the current state of the object.

Code:

Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [F:\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 17763 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 17763.1.amd64fre.rs5_release.180914-1434
Machine Name:
Kernel base = 0xfffff807`67aab000 PsLoadedModuleList = 0xfffff807`67ec69f0
Debug session time: Sat Mar 16 12:15:01.270 2019 (UTC + 1:00)
System Uptime: 1 days 0:23:24.989
Loading Kernel Symbols
...............................................................
................................................................
...............................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 0000009b`c69fb018).  Type ".hh dbgerr001" for details
Loading unloaded module list
...................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 18, {0, ffffe209c26e7c50, 2, ffffffffffffffff}

Probably caused by : afd.sys ( afd!AfdPoll64+1a8 )

Followup:     MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

REFERENCE_BY_POINTER (18)
Arguments:
Arg1: 0000000000000000, Object type of the object whose reference count is being lowered
Arg2: ffffe209c26e7c50, Object whose reference count is being lowered
Arg3: 0000000000000002, Reserved
Arg4: ffffffffffffffff, Reserved
    The reference count of an object is illegal for the current state of the object.
    Each time a driver uses a pointer to an object the driver calls a kernel routine
    to increment the reference count of the object. When the driver is done with the
    pointer the driver calls another kernel routine to decrement the reference count.
    Drivers must match calls to the increment and decrement routines. This bugcheck
    can occur because an object's reference count goes to zero while there are still
    open handles to the object, in which case the fourth parameter indicates the number
    of opened handles. It may also occur when the object's reference count drops below zero
    whether or not there are open handles to the object, and in that case the fourth parameter
    contains the actual value of the pointer references count.

Debugging Details:
------------------


KEY_VALUES_STRING: 1


STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  17763.1.amd64fre.rs5_release.180914-1434

SYSTEM_MANUFACTURER:  System manufacturer

SYSTEM_PRODUCT_NAME:  P5Q-PRO

SYSTEM_SKU:  To Be Filled By O.E.M.

SYSTEM_VERSION:  System Version

BIOS_VENDOR:  American Megatrends Inc.

BIOS_VERSION:  2102   

BIOS_DATE:  02/23/2009

BASEBOARD_MANUFACTURER:  ASUSTeK Computer INC.

BASEBOARD_PRODUCT:  P5Q-PRO

BASEBOARD_VERSION:  Rev 1.xx

DUMP_TYPE:  1

BUGCHECK_P1: 0

BUGCHECK_P2: ffffe209c26e7c50

BUGCHECK_P3: 2

BUGCHECK_P4: ffffffffffffffff

CPU_COUNT: 4

CPU_MHZ: fe2

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 17

CPU_STEPPING: a

CPU_MICROCODE: 6,17,a,0 (F,M,S,R)  SIG: A0B'00000000 (cache) A0B'00000000 (init)

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  0x18

PROCESS_NAME:  qbittorrent.exe

CURRENT_IRQL:  0

ANALYSIS_SESSION_HOST:  MICHAL

ANALYSIS_SESSION_TIME:  03-17-2019 12:28:05.0453

ANALYSIS_VERSION: 10.0.17763.132 amd64fre

LAST_CONTROL_TRANSFER:  from fffff80767cfa689 to fffff80767c5e5e0

STACK_TEXT: 
ffffc489`2a98e658 fffff807`67cfa689 : 00000000`00000018 00000000`00000000 ffffe209`c26e7c50 00000000`00000002 : nt!KeBugCheckEx
ffffc489`2a98e660 fffff807`68148c19 : ffffe209`c26e7c20 00000000`0016019f 00000000`00000218 fffff807`67bd7500 : nt!ObfDereferenceObjectWithTag+0x13b089
ffffc489`2a98e6a0 fffff807`6814873e : ffffe209`c76c5540 fffff807`00000000 ffffe209`bbcfe140 ffffc489`2a98e701 : nt!ObpReferenceObjectByHandleWithTag+0x4c9
ffffc489`2a98e730 fffff807`6ac19608 : 00000000`0000020c ffffc489`2a98e7c8 ffffe209`bb602000 ffffe209`ddb65c90 : nt!ObReferenceObjectByHandle+0x2e
ffffc489`2a98e780 fffff807`6ac1943b : ffffe209`c2b8b780 ffffe209`c2b8b700 ffffe209`00000000 00000000`c000000d : afd!AfdPoll64+0x1a8
ffffc489`2a98e890 fffff807`6ac192ad : ffffe209`c2b8b928 00000000`00000000 00000000`00000000 00000000`00000000 : afd!AfdPoll+0x2b
ffffc489`2a98e8c0 fffff807`67b630d9 : ffffe209`c2b8b780 00000000`00000000 00000000`00000000 00000000`00000000 : afd!AfdDispatchDeviceControl+0x7d
ffffc489`2a98e8f0 fffff807`6811e721 : ffffe209`c2b8b780 00000000`00000000 00000000`00000000 ffffe209`ddb65c90 : nt!IofCallDriver+0x59
ffffc489`2a98e930 fffff807`6814964a : 00000000`00000005 ffffe209`c2b8b780 ffffc489`20206f49 ffffc489`2a98ec80 : nt!IopSynchronousServiceTail+0x1b1
ffffc489`2a98e9e0 fffff807`680d62d6 : 00000000`00000000 00000000`000004b8 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x68a
ffffc489`2a98eb20 fffff807`67c6f785 : 00000000`00000000 00000000`00000001 00000000`00000000 ffffc489`2a98ec01 : nt!NtDeviceIoControlFile+0x56
ffffc489`2a98eb90 00007ff9`1393f754 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
0000009b`ce9fefe8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`1393f754


THREAD_SHA1_HASH_MOD_FUNC:  f926688f6fe7aaeae1867f5bc461d5ad3ca3e95c

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  0dda1c8b25962ebe96c3cbb2b3131786a74df160

THREAD_SHA1_HASH_MOD:  8f24d4e8b0d83e164a7e4f8cc3431a84219932df

FOLLOWUP_IP:
afd!AfdPoll64+1a8
fffff807`6ac19608 0f1f440000      nop     dword ptr [rax+rax]

FAULT_INSTR_CODE:  441f0f

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  afd!AfdPoll64+1a8

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: afd

IMAGE_NAME:  afd.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  1a8

FAILURE_BUCKET_ID:  0x18_OVER_DEREFERENCE_afd!AfdPoll64

BUCKET_ID:  0x18_OVER_DEREFERENCE_afd!AfdPoll64

PRIMARY_PROBLEM_CLASS:  0x18_OVER_DEREFERENCE_afd!AfdPoll64

TARGET_TIME:  2019-03-16T11:15:01.000Z

OSBUILD:  17763

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE: 

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  180914-1434

BUILDLAB_STR:  rs5_release

BUILDOSVER_STR:  10.0.17763.1.amd64fre.rs5_release.180914-1434

ANALYSIS_SESSION_ELAPSED_TIME:  ae0

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x18_over_dereference_afd!afdpoll64

FAILURE_ID_HASH:  {349cbb02-9d45-d5cb-f8f3-36966ac8d604}

Followup:     MachineOwner
---------

1: kd> !object ffffe209c26e7c50
Object: ffffe209c26e7c50  Type: (ffffe209bbcfd4e0) CoreMessaging
    ObjectHeader: ffffe209c26e7c20 (new version)
    HandleCount: 0  PointerCount: 18446744073709551615

We will also need logs from the event log because the driver has referenced the object that was necessary for the system service system to function properly

ravenize · Mar 17, 2019

Thank you for you great works. I guess even these driver crashes could be due to creative sound drivers or peerblock, am I correct in this assumption?. It crashed again and this time it is another common BSOD: fltmgr.sys. "A kernel-mode program generated an exception which the error handler did not catch. " I am using a samsung 840 ssd, its only a couple of years old 98% health so the drive should be good. I will disable peerblock next and see what happens.

Here is the dump: 2019-03-17-fltmgr.sys-MEMORY.7z

ravenize · Mar 18, 2019

Update: epp.sys, which failed in driver verifier, depends on fltmgr.sys, so I will remove this offline AV scanner first, and continue experimenting with peerblock in compatibility mode.

Windows 10 BSOD paradise, multiple drivers and dumps

Well-known member

Co-Founder / AdminBSOD Instructor/ExpertMicrosoft MVP (Ret.)

BSOD Forum Moderator, BSOD Academy Instructor, BSOD Kernel Dump Expert

Sysnative Staff, BSOD Kernel Dump Senior Analyst

BSOD Forum Moderator, BSOD Academy Instructor, BSOD Kernel Dump Expert

Co-Founder / AdminBSOD Instructor/ExpertMicrosoft MVP (Ret.)

BSOD Forum Moderator, BSOD Academy Instructor, BSOD Kernel Dump Expert

Well-known member

Attachments

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Sysnative Staff, BSOD Kernel Dump Senior Analyst

Well-known member

Co-Founder / AdminBSOD Instructor/ExpertMicrosoft MVP (Ret.)

Well-known member

Sysnative Staff, BSOD Kernel Dump Senior Analyst

Well-known member

Well-known member

Co-Founder / Admin
BSOD Instructor/Expert
Microsoft MVP (Ret.)

Co-Founder / Admin
BSOD Instructor/Expert
Microsoft MVP (Ret.)

Co-Founder / Admin
BSOD Instructor/Expert
Microsoft MVP (Ret.)