GlobalProtect BSOD Windows 8.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect BSOD Windows 8.1

L1 Bithead

Installed the latest round of Windows (and driver) updates.  1-3 seconds after GlobalProtect connects, I get a BSOD and reboot. I've read through various memory dumps and it's always one of two issues.

pangps.exe -

IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high.  This is usually

caused by drivers using improper addresses.

svchost.exe -

KERNEL_SECURITY_CHECK_FAILURE (139)

A kernel component has corrupted a critical data structure.  The corruption

could potentially allow a malicious user to gain control of this machine.

GlobalProtect x64 2.2.1-15

This issue does not happen on my desktop (I have yet to update it), same OS.  I've rolled back to older network drivers, but it still happens. 

Lenovo x1 3rd Gen

Core i5 5300u

8GB RAM

Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64

Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\MEMORY.DMP]

Kernel Bitmap Dump File: Only kernel address space is available

************* Symbol Path validation summary **************

Response                         Time (ms)     Location

Deferred                                       SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols

Symbol search path is: SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows 8 Kernel Version 9600 MP (4 procs) Free x64

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 9600.17736.amd64fre.winblue_r9.150322-1500

Machine Name:

Kernel base = 0xfffff801`2be70000 PsLoadedModuleList = 0xfffff801`2c149850

Debug session time: Thu Jun 11 20:36:33.995 2015 (UTC - 4:00)

System Uptime: 0 days 0:17:56.848

Loading Kernel Symbols

...............................................................

................................................................

.........Page 1164ad not present in the dump file. Type ".hh dbgerr004" for details

..Page 117d7b not present in the dump file. Type ".hh dbgerr004" for details

....................................

Loading User Symbols

PEB is paged out (Peb.Ldr = 00007ff5`ffffe018).  Type ".hh dbgerr001" for details

Loading unloaded module list

.................

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {fffff8012c3a22d1, 2, 8, fffff8012c3a22d1}

*** ERROR: Module load completed but symbols could not be loaded for pangpd.sys

Page 11d96c not present in the dump file. Type ".hh dbgerr004" for details

Probably caused by : pangpd.sys ( pangpd+5682 )

Followup: MachineOwner

---------

2: kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high.  This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: fffff8012c3a22d1, memory referenced

Arg2: 0000000000000002, IRQL

Arg3: 0000000000000008, bitfield :

  bit 0 : value 0 = read operation, 1 = write operation

  bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)

Arg4: fffff8012c3a22d1, address which referenced memory

Debugging Details:

------------------

Page 11d96c not present in the dump file. Type ".hh dbgerr004" for details

READ_ADDRESS: unable to get nt!MmNonPagedPoolStart

unable to get nt!MmSizeOfNonPagedPoolInBytes

fffff8012c3a22d1

CURRENT_IRQL:  2

FAULTING_IP:

nt! ?? ::NNGAKEGL::`string'+7421

fffff801`2c3a22d1 4584c9          test    r9b,r9b

IP_IN_PAGED_CODE:

nt! ?? ::NNGAKEGL::`string'+7421

fffff801`2c3a22d1 4584c9          test    r9b,r9b

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  PanGPS.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

TRAP_FRAME:  ffffd00023cfd240 -- (.trap 0xffffd00023cfd240)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=ffffcf8181940f98 rbx=0000000000000000 rcx=0000000000000220

rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000

rip=fffff8012c3a22d1 rsp=ffffd00023cfd3d0 rbp=0000000000000000

r8=0000000000000000  r9=fffff8012c4e9901 r10=fffff8012c516540

r11=0000000000000000 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0         nv up ei ng nz na pe nc

nt! ?? ::NNGAKEGL::`string'+0x7421:

fffff801`2c3a22d1 4584c9          test    r9b,r9b

Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff8012bfcc7e9 to fffff8012bfc0ca0

FAILED_INSTRUCTION_ADDRESS:

nt! ?? ::NNGAKEGL::`string'+7421

fffff801`2c3a22d1 4584c9          test    r9b,r9b

STACK_TEXT: 

ffffd000`23cfd0f8 fffff801`2bfcc7e9 : 00000000`0000000a fffff801`2c3a22d1 00000000`00000002 00000000`00000008 : nt!KeBugCheckEx

ffffd000`23cfd100 fffff801`2bfcb03a : 00000000`00000008 00000000`00000000 fffff6fb`080a0800 fffff6fb`0000000c : nt!KiBugCheckDispatch+0x69

ffffd000`23cfd240 fffff801`2c3a22d1 : 00000000`00000005 ffffe001`c4cc1c80 00000000`000000da fffff801`5bf30078 : nt!KiPageFault+0x23a

ffffd000`23cfd3d0 fffff801`2c20f915 : fffff801`2c294d00 fffff801`00000000 00000000`00000000 ffffcf81`86356e01 : nt! ?? ::NNGAKEGL::`string'+0x7421

ffffd000`23cfd470 fffff801`2c5078e9 : 00000000`00000000 00000000`00000000 ffffe001`bdf49001 00000000`00000000 : nt!ObReferenceObjectByHandle+0x25

ffffd000`23cfd4c0 fffff801`60450682 : ffffe001`bdf49060 ffffd000`23cfd6e0 ffffe001`bdf49060 00000000`00000000 : nt!VerifierObReferenceObjectByHandle+0x49

ffffd000`23cfd500 fffff801`5c8dd18c : ffffe001`bdf49060 ffffcf81`86356ea0 00000000`00000010 00000000`00010283 : pangpd+0x5682

ffffd000`23cfd5b0 fffff801`5c8de176 : ffffe001`bdf49060 00000000`00000000 ffffd000`23cfd6e0 00000000`0020c226 : ndis!ndisDummyIrpHandler+0x88

ffffd000`23cfd5e0 fffff801`5bf26832 : ffffe001`bdf49060 ffffd000`23cfd800 ffffe001`bdf49060 fffff801`5c8ddb10 : ndis!ndisDeviceControlIrpHandler+0x666

ffffd000`23cfd7d0 fffff801`2c4e9911 : ffffcf81`86356ea0 00000000`00000002 00000000`00000000 ffffe001`c4609601 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xfe

ffffd000`23cfd830 fffff801`2c29577f : 00000000`00000001 ffffd000`23cfdb80 ffffcf81`86356ea0 ffffe001`bdee5120 : nt!IovCallDriver+0x3cd

ffffd000`23cfd880 fffff801`2c294d22 : 00000000`00000000 fffff801`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f

ffffd000`23cfda20 fffff801`2bfcc4b3 : 00000000`00000001 00000000`002d0000 ffffd000`23cfdac0 00000000`00000000 : nt!NtDeviceIoControlFile+0x56

ffffd000`23cfda90 00007ffe`a247123a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13

00000000`00d2fa48 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`a247123a

STACK_COMMAND:  kb

FOLLOWUP_IP:

pangpd+5682

fffff801`60450682 89842484000000  mov     dword ptr [rsp+84h],eax

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  pangpd+5682

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: pangpd

IMAGE_NAME:  pangpd.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4c60a3d2

FAILURE_BUCKET_ID:  AV_VRF_CODE_AV_PAGED_IP_pangpd+5682

BUCKET_ID:  AV_VRF_CODE_AV_PAGED_IP_pangpd+5682

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_vrf_code_av_paged_ip_pangpd+5682

FAILURE_ID_HASH:  {fbfcbc21-11e7-641e-13d6-a13f5a4e1754}

Followup: MachineOwner

---------

2: kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high.  This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: fffff8012c3a22d1, memory referenced

Arg2: 0000000000000002, IRQL

Arg3: 0000000000000008, bitfield :

  bit 0 : value 0 = read operation, 1 = write operation

  bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)

Arg4: fffff8012c3a22d1, address which referenced memory

Debugging Details:

------------------

Page 11d96c not present in the dump file. Type ".hh dbgerr004" for details

READ_ADDRESS:  fffff8012c3a22d1

CURRENT_IRQL:  2

FAULTING_IP:

nt! ?? ::NNGAKEGL::`string'+7421

fffff801`2c3a22d1 4584c9          test    r9b,r9b

IP_IN_PAGED_CODE:

nt! ?? ::NNGAKEGL::`string'+7421

fffff801`2c3a22d1 4584c9          test    r9b,r9b

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  PanGPS.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

TRAP_FRAME:  ffffd00023cfd240 -- (.trap 0xffffd00023cfd240)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=ffffcf8181940f98 rbx=0000000000000000 rcx=0000000000000220

rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000

rip=fffff8012c3a22d1 rsp=ffffd00023cfd3d0 rbp=0000000000000000

r8=0000000000000000  r9=fffff8012c4e9901 r10=fffff8012c516540

r11=0000000000000000 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0         nv up ei ng nz na pe nc

nt! ?? ::NNGAKEGL::`string'+0x7421:

fffff801`2c3a22d1 4584c9          test    r9b,r9b

Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff8012bfcc7e9 to fffff8012bfc0ca0

FAILED_INSTRUCTION_ADDRESS:

nt! ?? ::NNGAKEGL::`string'+7421

fffff801`2c3a22d1 4584c9          test    r9b,r9b

STACK_TEXT: 

ffffd000`23cfd0f8 fffff801`2bfcc7e9 : 00000000`0000000a fffff801`2c3a22d1 00000000`00000002 00000000`00000008 : nt!KeBugCheckEx

ffffd000`23cfd100 fffff801`2bfcb03a : 00000000`00000008 00000000`00000000 fffff6fb`080a0800 fffff6fb`0000000c : nt!KiBugCheckDispatch+0x69

ffffd000`23cfd240 fffff801`2c3a22d1 : 00000000`00000005 ffffe001`c4cc1c80 00000000`000000da fffff801`5bf30078 : nt!KiPageFault+0x23a

ffffd000`23cfd3d0 fffff801`2c20f915 : fffff801`2c294d00 fffff801`00000000 00000000`00000000 ffffcf81`86356e01 : nt! ?? ::NNGAKEGL::`string'+0x7421

ffffd000`23cfd470 fffff801`2c5078e9 : 00000000`00000000 00000000`00000000 ffffe001`bdf49001 00000000`00000000 : nt!ObReferenceObjectByHandle+0x25

ffffd000`23cfd4c0 fffff801`60450682 : ffffe001`bdf49060 ffffd000`23cfd6e0 ffffe001`bdf49060 00000000`00000000 : nt!VerifierObReferenceObjectByHandle+0x49

ffffd000`23cfd500 fffff801`5c8dd18c : ffffe001`bdf49060 ffffcf81`86356ea0 00000000`00000010 00000000`00010283 : pangpd+0x5682

ffffd000`23cfd5b0 fffff801`5c8de176 : ffffe001`bdf49060 00000000`00000000 ffffd000`23cfd6e0 00000000`0020c226 : ndis!ndisDummyIrpHandler+0x88

ffffd000`23cfd5e0 fffff801`5bf26832 : ffffe001`bdf49060 ffffd000`23cfd800 ffffe001`bdf49060 fffff801`5c8ddb10 : ndis!ndisDeviceControlIrpHandler+0x666

ffffd000`23cfd7d0 fffff801`2c4e9911 : ffffcf81`86356ea0 00000000`00000002 00000000`00000000 ffffe001`c4609601 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xfe

ffffd000`23cfd830 fffff801`2c29577f : 00000000`00000001 ffffd000`23cfdb80 ffffcf81`86356ea0 ffffe001`bdee5120 : nt!IovCallDriver+0x3cd

ffffd000`23cfd880 fffff801`2c294d22 : 00000000`00000000 fffff801`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f

ffffd000`23cfda20 fffff801`2bfcc4b3 : 00000000`00000001 00000000`002d0000 ffffd000`23cfdac0 00000000`00000000 : nt!NtDeviceIoControlFile+0x56

ffffd000`23cfda90 00007ffe`a247123a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13

00000000`00d2fa48 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`a247123a

STACK_COMMAND:  kb

FOLLOWUP_IP:

pangpd+5682

fffff801`60450682 89842484000000  mov     dword ptr [rsp+84h],eax

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  pangpd+5682

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: pangpd

IMAGE_NAME:  pangpd.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4c60a3d2

FAILURE_BUCKET_ID:  AV_VRF_CODE_AV_PAGED_IP_pangpd+5682

BUCKET_ID:  AV_VRF_CODE_AV_PAGED_IP_pangpd+5682

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_vrf_code_av_paged_ip_pangpd+5682

FAILURE_ID_HASH:  {fbfcbc21-11e7-641e-13d6-a13f5a4e1754}

Followup: MachineOwner

---------

2: kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high.  This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: fffff8012c3a22d1, memory referenced

Arg2: 0000000000000002, IRQL

Arg3: 0000000000000008, bitfield :

  bit 0 : value 0 = read operation, 1 = write operation

  bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)

Arg4: fffff8012c3a22d1, address which referenced memory

Debugging Details:

------------------

Page 11d96c not present in the dump file. Type ".hh dbgerr004" for details

READ_ADDRESS:  fffff8012c3a22d1

CURRENT_IRQL:  2

FAULTING_IP:

nt! ?? ::NNGAKEGL::`string'+7421

fffff801`2c3a22d1 4584c9          test    r9b,r9b

IP_IN_PAGED_CODE:

nt! ?? ::NNGAKEGL::`string'+7421

fffff801`2c3a22d1 4584c9          test    r9b,r9b

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  PanGPS.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

TRAP_FRAME:  ffffd00023cfd240 -- (.trap 0xffffd00023cfd240)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=ffffcf8181940f98 rbx=0000000000000000 rcx=0000000000000220

rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000

rip=fffff8012c3a22d1 rsp=ffffd00023cfd3d0 rbp=0000000000000000

r8=0000000000000000  r9=fffff8012c4e9901 r10=fffff8012c516540

r11=0000000000000000 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0         nv up ei ng nz na pe nc

nt! ?? ::NNGAKEGL::`string'+0x7421:

fffff801`2c3a22d1 4584c9          test    r9b,r9b

Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff8012bfcc7e9 to fffff8012bfc0ca0

FAILED_INSTRUCTION_ADDRESS:

nt! ?? ::NNGAKEGL::`string'+7421

fffff801`2c3a22d1 4584c9          test    r9b,r9b

STACK_TEXT: 

ffffd000`23cfd0f8 fffff801`2bfcc7e9 : 00000000`0000000a fffff801`2c3a22d1 00000000`00000002 00000000`00000008 : nt!KeBugCheckEx

ffffd000`23cfd100 fffff801`2bfcb03a : 00000000`00000008 00000000`00000000 fffff6fb`080a0800 fffff6fb`0000000c : nt!KiBugCheckDispatch+0x69

ffffd000`23cfd240 fffff801`2c3a22d1 : 00000000`00000005 ffffe001`c4cc1c80 00000000`000000da fffff801`5bf30078 : nt!KiPageFault+0x23a

ffffd000`23cfd3d0 fffff801`2c20f915 : fffff801`2c294d00 fffff801`00000000 00000000`00000000 ffffcf81`86356e01 : nt! ?? ::NNGAKEGL::`string'+0x7421

ffffd000`23cfd470 fffff801`2c5078e9 : 00000000`00000000 00000000`00000000 ffffe001`bdf49001 00000000`00000000 : nt!ObReferenceObjectByHandle+0x25

ffffd000`23cfd4c0 fffff801`60450682 : ffffe001`bdf49060 ffffd000`23cfd6e0 ffffe001`bdf49060 00000000`00000000 : nt!VerifierObReferenceObjectByHandle+0x49

ffffd000`23cfd500 fffff801`5c8dd18c : ffffe001`bdf49060 ffffcf81`86356ea0 00000000`00000010 00000000`00010283 : pangpd+0x5682

ffffd000`23cfd5b0 fffff801`5c8de176 : ffffe001`bdf49060 00000000`00000000 ffffd000`23cfd6e0 00000000`0020c226 : ndis!ndisDummyIrpHandler+0x88

ffffd000`23cfd5e0 fffff801`5bf26832 : ffffe001`bdf49060 ffffd000`23cfd800 ffffe001`bdf49060 fffff801`5c8ddb10 : ndis!ndisDeviceControlIrpHandler+0x666

ffffd000`23cfd7d0 fffff801`2c4e9911 : ffffcf81`86356ea0 00000000`00000002 00000000`00000000 ffffe001`c4609601 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xfe

ffffd000`23cfd830 fffff801`2c29577f : 00000000`00000001 ffffd000`23cfdb80 ffffcf81`86356ea0 ffffe001`bdee5120 : nt!IovCallDriver+0x3cd

ffffd000`23cfd880 fffff801`2c294d22 : 00000000`00000000 fffff801`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f

ffffd000`23cfda20 fffff801`2bfcc4b3 : 00000000`00000001 00000000`002d0000 ffffd000`23cfdac0 00000000`00000000 : nt!NtDeviceIoControlFile+0x56

ffffd000`23cfda90 00007ffe`a247123a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13

00000000`00d2fa48 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`a247123a

STACK_COMMAND:  kb

FOLLOWUP_IP:

pangpd+5682

fffff801`60450682 89842484000000  mov     dword ptr [rsp+84h],eax

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  pangpd+5682

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: pangpd

IMAGE_NAME:  pangpd.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4c60a3d2

FAILURE_BUCKET_ID:  AV_VRF_CODE_AV_PAGED_IP_pangpd+5682

BUCKET_ID:  AV_VRF_CODE_AV_PAGED_IP_pangpd+5682

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_vrf_code_av_paged_ip_pangpd+5682

FAILURE_ID_HASH:  {fbfcbc21-11e7-641e-13d6-a13f5a4e1754}

Followup: MachineOwner

---------

Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64

Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\MEMORY.DMP]

Kernel Bitmap Dump File: Only kernel address space is available

************* Symbol Path validation summary **************

Response                         Time (ms)     Location

Deferred                                       SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols

Symbol search path is: SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows 8 Kernel Version 9600 MP (4 procs) Free x64

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 9600.17736.amd64fre.winblue_r9.150322-1500

Machine Name:

Kernel base = 0xfffff801`94878000 PsLoadedModuleList = 0xfffff801`94b51850

Debug session time: Fri Jun 12 08:06:03.552 2015 (UTC - 4:00)

System Uptime: 0 days 0:02:50.353

Loading Kernel Symbols

...............................................................

...............................................................Page 11bd3b not present in the dump file. Type ".hh dbgerr004" for details

.

........Page 11293c not present in the dump file. Type ".hh dbgerr004" for details

..Page 11233f not present in the dump file. Type ".hh dbgerr004" for details

....................................

Loading User Symbols

PEB is paged out (Peb.Ldr = 00007ff6`56366018).  Type ".hh dbgerr001" for details

Loading unloaded module list

..............

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {3, ffffd000b1eed310, ffffd000b1eed268, 0}

Page 11bd3b not present in the dump file. Type ".hh dbgerr004" for details

Probably caused by : NETIO.SYS ( NETIO!NsiGetParameterEx+222 )

Followup: MachineOwner

---------

2: kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)

A kernel component has corrupted a critical data structure.  The corruption

could potentially allow a malicious user to gain control of this machine.

Arguments:

Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).

Arg2: ffffd000b1eed310, Address of the trap frame for the exception that caused the bugcheck

Arg3: ffffd000b1eed268, Address of the exception record for the exception that caused the bugcheck

Arg4: 0000000000000000, Reserved

Debugging Details:

------------------

Page 11bd3b not present in the dump file. Type ".hh dbgerr004" for details

TRAP_FRAME:  ffffd000b1eed310 -- (.trap 0xffffd000b1eed310)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=ffffe001eaa9def0 rbx=0000000000000000 rcx=0000000000000003

rdx=ffffe001e4b1b4e0 rsi=0000000000000000 rdi=0000000000000000

rip=fffff8003fcb6acd rsp=ffffd000b1eed4a0 rbp=0000000000000000

r8=0000000000000000  r9=0000000000000004 r10=ffffe001ea240820

r11=ffffe001eba558b0 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0         nv up ei ng nz na po cy

ndis!ndisNsiGetInterfaceInformation+0x21b8d:

fffff800`3fcb6acd cd29            int     29h

Resetting default scope

EXCEPTION_RECORD:  ffffd000b1eed268 -- (.exr 0xffffd000b1eed268)

ExceptionAddress: fffff8003fcb6acd (ndis!ndisNsiGetInterfaceInformation+0x0000000000021b8d)

   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)

  ExceptionFlags: 00000001

NumberParameters: 1

   Parameter[0]: 0000000000000003

DEFAULT_BUCKET_ID:  LIST_ENTRY_CORRUPT

BUGCHECK_STR:  0x139

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  2

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  0000000000000003

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER:  from fffff801949d47e9 to fffff801949c8ca0

STACK_TEXT: 

ffffd000`b1eecfe8 fffff801`949d47e9 : 00000000`00000139 00000000`00000003 ffffd000`b1eed310 ffffd000`b1eed268 : nt!KeBugCheckEx

ffffd000`b1eecff0 fffff801`949d4b10 : 00000000`00000000 00000000`00000001 ffffd000`b1eed1d8 fffff801`00000000 : nt!KiBugCheckDispatch+0x69

ffffd000`b1eed130 fffff801`949d3d34 : ffffc001`c62c4060 00000000`0000000c 00000000`00000000 ffffc001`c62c44d0 : nt!KiFastFailDispatch+0xd0

ffffd000`b1eed310 fffff800`3fcb6acd : 00000000`ffffe001 00000000`00000000 ffffd000`b1eed610 00000000`00000000 : nt!KiRaiseSecurityCheckFailure+0xf4

ffffd000`b1eed4a0 fffff800`3fe93572 : ffffd000`b1eed610 ffffe001`eba55802 ffffe001`eba55800 00000000`00000000 : ndis!ndisNsiGetInterfaceInformation+0x21b8d

ffffd000`b1eed550 fffff800`40b5ea25 : 00000000`00000050 00000000`00000050 ffffe001`e4ab3540 00000000`00000000 : NETIO!NsiGetParameterEx+0x222

ffffd000`b1eed6b0 fffff800`40b5ebe3 : 00000000`00000000 ffffe001`e413e430 ffffe001`e413e360 00000000`00000000 : nsiproxy!NsippGetParameter+0x195

ffffd000`b1eed840 fffff801`94c9d77f : 00000000`00000000 ffffe001`e413e360 ffffe001`e413e360 00000000`00000001 : nsiproxy!NsippDispatch+0x53

ffffd000`b1eed880 fffff801`94c9cd22 : ffffd000`b1eeda38 0000000c`001f0003 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f

ffffd000`b1eeda20 fffff801`949d44b3 : ffffe001`e43a6880 00000000`001f0003 00000067`76b6f3f8 00000067`00000001 : nt!NtDeviceIoControlFile+0x56

ffffd000`b1eeda90 00007ff9`a33c123a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13

00000067`76b6f478 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`a33c123a

STACK_COMMAND:  kb

FOLLOWUP_IP:

NETIO!NsiGetParameterEx+222

fffff800`3fe93572 8bd8            mov     ebx,eax

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  NETIO!NsiGetParameterEx+222

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  546029c5

BUCKET_ID_FUNC_OFFSET:  222

FAILURE_BUCKET_ID:  0x139_3_NETIO!NsiGetParameterEx

BUCKET_ID:  0x139_3_NETIO!NsiGetParameterEx

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x139_3_netio!nsigetparameterex

FAILURE_ID_HASH:  {863902cf-27d7-671f-3d7f-44a47e15711d}

Followup: MachineOwner

---------

1 accepted solution

Accepted Solutions

L1 Bithead

Updating the Intel Dual Band Wireless-AC 7265 to 17.16.0.4 resolved this.

View solution in original post

2 REPLIES 2

L1 Bithead

Updating the Intel Dual Band Wireless-AC 7265 to 17.16.0.4 resolved this.

Just wanted to let everyone know that if they are having any GlobalProtect issues, and need to troubleshoot the issue, our Very own @kiwi has written a great blog all about troubleshooting GlobalProtect.

Be sure to check it out here: 
https://live.paloaltonetworks.com/t5/blogs/dotw-globalprotect-troubleshooting-tips/ba-p/383911

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
  • 1 accepted solution
  • 3613 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!