06-12-2015 05:57 AM
Installed the latest round of Windows (and driver) updates. 1-3 seconds after GlobalProtect connects, I get a BSOD and reboot. I've read through various memory dumps and it's always one of two issues.
pangps.exe -
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
svchost.exe -
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
GlobalProtect x64 2.2.1-15
This issue does not happen on my desktop (I have yet to update it), same OS. I've rolled back to older network drivers, but it still happens.
Lenovo x1 3rd Gen
Core i5 5300u
8GB RAM
Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Only kernel address space is available
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17736.amd64fre.winblue_r9.150322-1500
Machine Name:
Kernel base = 0xfffff801`2be70000 PsLoadedModuleList = 0xfffff801`2c149850
Debug session time: Thu Jun 11 20:36:33.995 2015 (UTC - 4:00)
System Uptime: 0 days 0:17:56.848
Loading Kernel Symbols
...............................................................
................................................................
.........Page 1164ad not present in the dump file. Type ".hh dbgerr004" for details
..Page 117d7b not present in the dump file. Type ".hh dbgerr004" for details
....................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff5`ffffe018). Type ".hh dbgerr001" for details
Loading unloaded module list
.................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {fffff8012c3a22d1, 2, 8, fffff8012c3a22d1}
*** ERROR: Module load completed but symbols could not be loaded for pangpd.sys
Page 11d96c not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : pangpd.sys ( pangpd+5682 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: fffff8012c3a22d1, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000008, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8012c3a22d1, address which referenced memory
Debugging Details:
------------------
Page 11d96c not present in the dump file. Type ".hh dbgerr004" for details
READ_ADDRESS: unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
fffff8012c3a22d1
CURRENT_IRQL: 2
FAULTING_IP:
nt! ?? ::NNGAKEGL::`string'+7421
fffff801`2c3a22d1 4584c9 test r9b,r9b
IP_IN_PAGED_CODE:
nt! ?? ::NNGAKEGL::`string'+7421
fffff801`2c3a22d1 4584c9 test r9b,r9b
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: PanGPS.exe
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
TRAP_FRAME: ffffd00023cfd240 -- (.trap 0xffffd00023cfd240)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffcf8181940f98 rbx=0000000000000000 rcx=0000000000000220
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8012c3a22d1 rsp=ffffd00023cfd3d0 rbp=0000000000000000
r8=0000000000000000 r9=fffff8012c4e9901 r10=fffff8012c516540
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
nt! ?? ::NNGAKEGL::`string'+0x7421:
fffff801`2c3a22d1 4584c9 test r9b,r9b
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff8012bfcc7e9 to fffff8012bfc0ca0
FAILED_INSTRUCTION_ADDRESS:
nt! ?? ::NNGAKEGL::`string'+7421
fffff801`2c3a22d1 4584c9 test r9b,r9b
STACK_TEXT:
ffffd000`23cfd0f8 fffff801`2bfcc7e9 : 00000000`0000000a fffff801`2c3a22d1 00000000`00000002 00000000`00000008 : nt!KeBugCheckEx
ffffd000`23cfd100 fffff801`2bfcb03a : 00000000`00000008 00000000`00000000 fffff6fb`080a0800 fffff6fb`0000000c : nt!KiBugCheckDispatch+0x69
ffffd000`23cfd240 fffff801`2c3a22d1 : 00000000`00000005 ffffe001`c4cc1c80 00000000`000000da fffff801`5bf30078 : nt!KiPageFault+0x23a
ffffd000`23cfd3d0 fffff801`2c20f915 : fffff801`2c294d00 fffff801`00000000 00000000`00000000 ffffcf81`86356e01 : nt! ?? ::NNGAKEGL::`string'+0x7421
ffffd000`23cfd470 fffff801`2c5078e9 : 00000000`00000000 00000000`00000000 ffffe001`bdf49001 00000000`00000000 : nt!ObReferenceObjectByHandle+0x25
ffffd000`23cfd4c0 fffff801`60450682 : ffffe001`bdf49060 ffffd000`23cfd6e0 ffffe001`bdf49060 00000000`00000000 : nt!VerifierObReferenceObjectByHandle+0x49
ffffd000`23cfd500 fffff801`5c8dd18c : ffffe001`bdf49060 ffffcf81`86356ea0 00000000`00000010 00000000`00010283 : pangpd+0x5682
ffffd000`23cfd5b0 fffff801`5c8de176 : ffffe001`bdf49060 00000000`00000000 ffffd000`23cfd6e0 00000000`0020c226 : ndis!ndisDummyIrpHandler+0x88
ffffd000`23cfd5e0 fffff801`5bf26832 : ffffe001`bdf49060 ffffd000`23cfd800 ffffe001`bdf49060 fffff801`5c8ddb10 : ndis!ndisDeviceControlIrpHandler+0x666
ffffd000`23cfd7d0 fffff801`2c4e9911 : ffffcf81`86356ea0 00000000`00000002 00000000`00000000 ffffe001`c4609601 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xfe
ffffd000`23cfd830 fffff801`2c29577f : 00000000`00000001 ffffd000`23cfdb80 ffffcf81`86356ea0 ffffe001`bdee5120 : nt!IovCallDriver+0x3cd
ffffd000`23cfd880 fffff801`2c294d22 : 00000000`00000000 fffff801`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
ffffd000`23cfda20 fffff801`2bfcc4b3 : 00000000`00000001 00000000`002d0000 ffffd000`23cfdac0 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
ffffd000`23cfda90 00007ffe`a247123a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00d2fa48 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`a247123a
STACK_COMMAND: kb
FOLLOWUP_IP:
pangpd+5682
fffff801`60450682 89842484000000 mov dword ptr [rsp+84h],eax
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: pangpd+5682
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: pangpd
IMAGE_NAME: pangpd.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4c60a3d2
FAILURE_BUCKET_ID: AV_VRF_CODE_AV_PAGED_IP_pangpd+5682
BUCKET_ID: AV_VRF_CODE_AV_PAGED_IP_pangpd+5682
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_vrf_code_av_paged_ip_pangpd+5682
FAILURE_ID_HASH: {fbfcbc21-11e7-641e-13d6-a13f5a4e1754}
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: fffff8012c3a22d1, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000008, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8012c3a22d1, address which referenced memory
Debugging Details:
------------------
Page 11d96c not present in the dump file. Type ".hh dbgerr004" for details
READ_ADDRESS: fffff8012c3a22d1
CURRENT_IRQL: 2
FAULTING_IP:
nt! ?? ::NNGAKEGL::`string'+7421
fffff801`2c3a22d1 4584c9 test r9b,r9b
IP_IN_PAGED_CODE:
nt! ?? ::NNGAKEGL::`string'+7421
fffff801`2c3a22d1 4584c9 test r9b,r9b
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: PanGPS.exe
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
TRAP_FRAME: ffffd00023cfd240 -- (.trap 0xffffd00023cfd240)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffcf8181940f98 rbx=0000000000000000 rcx=0000000000000220
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8012c3a22d1 rsp=ffffd00023cfd3d0 rbp=0000000000000000
r8=0000000000000000 r9=fffff8012c4e9901 r10=fffff8012c516540
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
nt! ?? ::NNGAKEGL::`string'+0x7421:
fffff801`2c3a22d1 4584c9 test r9b,r9b
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff8012bfcc7e9 to fffff8012bfc0ca0
FAILED_INSTRUCTION_ADDRESS:
nt! ?? ::NNGAKEGL::`string'+7421
fffff801`2c3a22d1 4584c9 test r9b,r9b
STACK_TEXT:
ffffd000`23cfd0f8 fffff801`2bfcc7e9 : 00000000`0000000a fffff801`2c3a22d1 00000000`00000002 00000000`00000008 : nt!KeBugCheckEx
ffffd000`23cfd100 fffff801`2bfcb03a : 00000000`00000008 00000000`00000000 fffff6fb`080a0800 fffff6fb`0000000c : nt!KiBugCheckDispatch+0x69
ffffd000`23cfd240 fffff801`2c3a22d1 : 00000000`00000005 ffffe001`c4cc1c80 00000000`000000da fffff801`5bf30078 : nt!KiPageFault+0x23a
ffffd000`23cfd3d0 fffff801`2c20f915 : fffff801`2c294d00 fffff801`00000000 00000000`00000000 ffffcf81`86356e01 : nt! ?? ::NNGAKEGL::`string'+0x7421
ffffd000`23cfd470 fffff801`2c5078e9 : 00000000`00000000 00000000`00000000 ffffe001`bdf49001 00000000`00000000 : nt!ObReferenceObjectByHandle+0x25
ffffd000`23cfd4c0 fffff801`60450682 : ffffe001`bdf49060 ffffd000`23cfd6e0 ffffe001`bdf49060 00000000`00000000 : nt!VerifierObReferenceObjectByHandle+0x49
ffffd000`23cfd500 fffff801`5c8dd18c : ffffe001`bdf49060 ffffcf81`86356ea0 00000000`00000010 00000000`00010283 : pangpd+0x5682
ffffd000`23cfd5b0 fffff801`5c8de176 : ffffe001`bdf49060 00000000`00000000 ffffd000`23cfd6e0 00000000`0020c226 : ndis!ndisDummyIrpHandler+0x88
ffffd000`23cfd5e0 fffff801`5bf26832 : ffffe001`bdf49060 ffffd000`23cfd800 ffffe001`bdf49060 fffff801`5c8ddb10 : ndis!ndisDeviceControlIrpHandler+0x666
ffffd000`23cfd7d0 fffff801`2c4e9911 : ffffcf81`86356ea0 00000000`00000002 00000000`00000000 ffffe001`c4609601 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xfe
ffffd000`23cfd830 fffff801`2c29577f : 00000000`00000001 ffffd000`23cfdb80 ffffcf81`86356ea0 ffffe001`bdee5120 : nt!IovCallDriver+0x3cd
ffffd000`23cfd880 fffff801`2c294d22 : 00000000`00000000 fffff801`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
ffffd000`23cfda20 fffff801`2bfcc4b3 : 00000000`00000001 00000000`002d0000 ffffd000`23cfdac0 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
ffffd000`23cfda90 00007ffe`a247123a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00d2fa48 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`a247123a
STACK_COMMAND: kb
FOLLOWUP_IP:
pangpd+5682
fffff801`60450682 89842484000000 mov dword ptr [rsp+84h],eax
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: pangpd+5682
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: pangpd
IMAGE_NAME: pangpd.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4c60a3d2
FAILURE_BUCKET_ID: AV_VRF_CODE_AV_PAGED_IP_pangpd+5682
BUCKET_ID: AV_VRF_CODE_AV_PAGED_IP_pangpd+5682
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_vrf_code_av_paged_ip_pangpd+5682
FAILURE_ID_HASH: {fbfcbc21-11e7-641e-13d6-a13f5a4e1754}
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: fffff8012c3a22d1, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000008, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8012c3a22d1, address which referenced memory
Debugging Details:
------------------
Page 11d96c not present in the dump file. Type ".hh dbgerr004" for details
READ_ADDRESS: fffff8012c3a22d1
CURRENT_IRQL: 2
FAULTING_IP:
nt! ?? ::NNGAKEGL::`string'+7421
fffff801`2c3a22d1 4584c9 test r9b,r9b
IP_IN_PAGED_CODE:
nt! ?? ::NNGAKEGL::`string'+7421
fffff801`2c3a22d1 4584c9 test r9b,r9b
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: PanGPS.exe
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
TRAP_FRAME: ffffd00023cfd240 -- (.trap 0xffffd00023cfd240)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffcf8181940f98 rbx=0000000000000000 rcx=0000000000000220
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8012c3a22d1 rsp=ffffd00023cfd3d0 rbp=0000000000000000
r8=0000000000000000 r9=fffff8012c4e9901 r10=fffff8012c516540
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
nt! ?? ::NNGAKEGL::`string'+0x7421:
fffff801`2c3a22d1 4584c9 test r9b,r9b
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff8012bfcc7e9 to fffff8012bfc0ca0
FAILED_INSTRUCTION_ADDRESS:
nt! ?? ::NNGAKEGL::`string'+7421
fffff801`2c3a22d1 4584c9 test r9b,r9b
STACK_TEXT:
ffffd000`23cfd0f8 fffff801`2bfcc7e9 : 00000000`0000000a fffff801`2c3a22d1 00000000`00000002 00000000`00000008 : nt!KeBugCheckEx
ffffd000`23cfd100 fffff801`2bfcb03a : 00000000`00000008 00000000`00000000 fffff6fb`080a0800 fffff6fb`0000000c : nt!KiBugCheckDispatch+0x69
ffffd000`23cfd240 fffff801`2c3a22d1 : 00000000`00000005 ffffe001`c4cc1c80 00000000`000000da fffff801`5bf30078 : nt!KiPageFault+0x23a
ffffd000`23cfd3d0 fffff801`2c20f915 : fffff801`2c294d00 fffff801`00000000 00000000`00000000 ffffcf81`86356e01 : nt! ?? ::NNGAKEGL::`string'+0x7421
ffffd000`23cfd470 fffff801`2c5078e9 : 00000000`00000000 00000000`00000000 ffffe001`bdf49001 00000000`00000000 : nt!ObReferenceObjectByHandle+0x25
ffffd000`23cfd4c0 fffff801`60450682 : ffffe001`bdf49060 ffffd000`23cfd6e0 ffffe001`bdf49060 00000000`00000000 : nt!VerifierObReferenceObjectByHandle+0x49
ffffd000`23cfd500 fffff801`5c8dd18c : ffffe001`bdf49060 ffffcf81`86356ea0 00000000`00000010 00000000`00010283 : pangpd+0x5682
ffffd000`23cfd5b0 fffff801`5c8de176 : ffffe001`bdf49060 00000000`00000000 ffffd000`23cfd6e0 00000000`0020c226 : ndis!ndisDummyIrpHandler+0x88
ffffd000`23cfd5e0 fffff801`5bf26832 : ffffe001`bdf49060 ffffd000`23cfd800 ffffe001`bdf49060 fffff801`5c8ddb10 : ndis!ndisDeviceControlIrpHandler+0x666
ffffd000`23cfd7d0 fffff801`2c4e9911 : ffffcf81`86356ea0 00000000`00000002 00000000`00000000 ffffe001`c4609601 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xfe
ffffd000`23cfd830 fffff801`2c29577f : 00000000`00000001 ffffd000`23cfdb80 ffffcf81`86356ea0 ffffe001`bdee5120 : nt!IovCallDriver+0x3cd
ffffd000`23cfd880 fffff801`2c294d22 : 00000000`00000000 fffff801`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
ffffd000`23cfda20 fffff801`2bfcc4b3 : 00000000`00000001 00000000`002d0000 ffffd000`23cfdac0 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
ffffd000`23cfda90 00007ffe`a247123a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00d2fa48 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`a247123a
STACK_COMMAND: kb
FOLLOWUP_IP:
pangpd+5682
fffff801`60450682 89842484000000 mov dword ptr [rsp+84h],eax
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: pangpd+5682
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: pangpd
IMAGE_NAME: pangpd.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4c60a3d2
FAILURE_BUCKET_ID: AV_VRF_CODE_AV_PAGED_IP_pangpd+5682
BUCKET_ID: AV_VRF_CODE_AV_PAGED_IP_pangpd+5682
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_vrf_code_av_paged_ip_pangpd+5682
FAILURE_ID_HASH: {fbfcbc21-11e7-641e-13d6-a13f5a4e1754}
Followup: MachineOwner
---------
Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Only kernel address space is available
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 8 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17736.amd64fre.winblue_r9.150322-1500
Machine Name:
Kernel base = 0xfffff801`94878000 PsLoadedModuleList = 0xfffff801`94b51850
Debug session time: Fri Jun 12 08:06:03.552 2015 (UTC - 4:00)
System Uptime: 0 days 0:02:50.353
Loading Kernel Symbols
...............................................................
...............................................................Page 11bd3b not present in the dump file. Type ".hh dbgerr004" for details
.
........Page 11293c not present in the dump file. Type ".hh dbgerr004" for details
..Page 11233f not present in the dump file. Type ".hh dbgerr004" for details
....................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff6`56366018). Type ".hh dbgerr001" for details
Loading unloaded module list
..............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 139, {3, ffffd000b1eed310, ffffd000b1eed268, 0}
Page 11bd3b not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : NETIO.SYS ( NETIO!NsiGetParameterEx+222 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd000b1eed310, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd000b1eed268, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
Page 11bd3b not present in the dump file. Type ".hh dbgerr004" for details
TRAP_FRAME: ffffd000b1eed310 -- (.trap 0xffffd000b1eed310)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe001eaa9def0 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe001e4b1b4e0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8003fcb6acd rsp=ffffd000b1eed4a0 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000004 r10=ffffe001ea240820
r11=ffffe001eba558b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po cy
ndis!ndisNsiGetInterfaceInformation+0x21b8d:
fffff800`3fcb6acd cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffffd000b1eed268 -- (.exr 0xffffd000b1eed268)
ExceptionAddress: fffff8003fcb6acd (ndis!ndisNsiGetInterfaceInformation+0x0000000000021b8d)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
DEFAULT_BUCKET_ID: LIST_ENTRY_CORRUPT
BUGCHECK_STR: 0x139
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 2
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_PARAMETER1: 0000000000000003
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
LAST_CONTROL_TRANSFER: from fffff801949d47e9 to fffff801949c8ca0
STACK_TEXT:
ffffd000`b1eecfe8 fffff801`949d47e9 : 00000000`00000139 00000000`00000003 ffffd000`b1eed310 ffffd000`b1eed268 : nt!KeBugCheckEx
ffffd000`b1eecff0 fffff801`949d4b10 : 00000000`00000000 00000000`00000001 ffffd000`b1eed1d8 fffff801`00000000 : nt!KiBugCheckDispatch+0x69
ffffd000`b1eed130 fffff801`949d3d34 : ffffc001`c62c4060 00000000`0000000c 00000000`00000000 ffffc001`c62c44d0 : nt!KiFastFailDispatch+0xd0
ffffd000`b1eed310 fffff800`3fcb6acd : 00000000`ffffe001 00000000`00000000 ffffd000`b1eed610 00000000`00000000 : nt!KiRaiseSecurityCheckFailure+0xf4
ffffd000`b1eed4a0 fffff800`3fe93572 : ffffd000`b1eed610 ffffe001`eba55802 ffffe001`eba55800 00000000`00000000 : ndis!ndisNsiGetInterfaceInformation+0x21b8d
ffffd000`b1eed550 fffff800`40b5ea25 : 00000000`00000050 00000000`00000050 ffffe001`e4ab3540 00000000`00000000 : NETIO!NsiGetParameterEx+0x222
ffffd000`b1eed6b0 fffff800`40b5ebe3 : 00000000`00000000 ffffe001`e413e430 ffffe001`e413e360 00000000`00000000 : nsiproxy!NsippGetParameter+0x195
ffffd000`b1eed840 fffff801`94c9d77f : 00000000`00000000 ffffe001`e413e360 ffffe001`e413e360 00000000`00000001 : nsiproxy!NsippDispatch+0x53
ffffd000`b1eed880 fffff801`94c9cd22 : ffffd000`b1eeda38 0000000c`001f0003 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
ffffd000`b1eeda20 fffff801`949d44b3 : ffffe001`e43a6880 00000000`001f0003 00000067`76b6f3f8 00000067`00000001 : nt!NtDeviceIoControlFile+0x56
ffffd000`b1eeda90 00007ff9`a33c123a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000067`76b6f478 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`a33c123a
STACK_COMMAND: kb
FOLLOWUP_IP:
NETIO!NsiGetParameterEx+222
fffff800`3fe93572 8bd8 mov ebx,eax
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: NETIO!NsiGetParameterEx+222
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: NETIO
IMAGE_NAME: NETIO.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 546029c5
BUCKET_ID_FUNC_OFFSET: 222
FAILURE_BUCKET_ID: 0x139_3_NETIO!NsiGetParameterEx
BUCKET_ID: 0x139_3_NETIO!NsiGetParameterEx
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x139_3_netio!nsigetparameterex
FAILURE_ID_HASH: {863902cf-27d7-671f-3d7f-44a47e15711d}
Followup: MachineOwner
---------
06-12-2015 07:24 AM
Updating the Intel Dual Band Wireless-AC 7265 to 17.16.0.4 resolved this.
06-12-2015 07:24 AM
Updating the Intel Dual Band Wireless-AC 7265 to 17.16.0.4 resolved this.
03-05-2021 09:27 AM
Just wanted to let everyone know that if they are having any GlobalProtect issues, and need to troubleshoot the issue, our Very own @kiwi has written a great blog all about troubleshooting GlobalProtect.
Be sure to check it out here:
https://live.paloaltonetworks.com/t5/blogs/dotw-globalprotect-troubleshooting-tips/ba-p/383911
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
