Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WFP driver compatibility with ESET/KIS in v6.1.312 #1565

Closed
vozersky opened this issue Feb 17, 2017 · 361 comments

Comments

@vozersky
Copy link
Member

vozersky commented Feb 17, 2017

Random BSODs.

  • id1503381

Minidumps

Details:
The crashes are quite infrequent.. So I don't really know if disabling the
WFP driver has helped yet as I only did it yesterday. I use Kaspersky Internet Security 2017, fully patched.

Bugcheck:
https://gist.github.com/vozersky/33d6df1c8961bfb3c67680e24e7d5671
https://gist.github.com/vozersky/8b2e5013f154496192671bda65d1ba2a
https://gist.github.com/vozersky/8512797a5f164e02d49bfe3d442335b9



  • id1485773

Minidump

Bugcheck:
https://gist.github.com/vozersky/91073e2147aaa8b23548517d2968e207
https://gist.github.com/vozersky/26c48059cd2fb71baa98aaa2ecd82f73



Minidumps.zip

Bugcheck:
https://gist.github.com/vozersky/6721c85d5b295a6ed377b0968a6b1877
https://gist.github.com/vozersky/f8c395fb8ac66603ad2df2b5c07f4c98



Also, one user states:

BTW after I turned off the WFP network driver, restarted the computer and turned it on again I had no more crashes. It may be useful to add that to the report.

@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Feb 17, 2017

User comment:

BTW after I turned off the WFP network driver, restarted the computer and turned it on again I had no more crashes. It may be useful to add that to the report.

This might be very important. Waiting for the details.

@vozersky

This comment has been minimized.

Copy link
Member Author

vozersky commented Feb 17, 2017

added bugcheck analysis

@zebrum

This comment has been minimized.

@vozersky

This comment has been minimized.

Copy link
Member Author

vozersky commented Feb 20, 2017

@zebrum added to the 1st post. No details at the linked page though

@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Feb 21, 2017

@Alex-302

This comment has been minimized.

Copy link
Member

Alex-302 commented Feb 21, 2017

BSOD: 5294760d netio.sys
Mini dump:
https://mega.nz/#!gUtEEB4b!KE_uGTfD5SsEjDxYevwlGgmmXhjWkfzfJ0MfHX88haA

http://imagizer.imageshack.com/img924/7347/1yuKlU.png

Kaspersky Free is installed. AG driver - WFP. AG version 6.2.317.1673

Сигнатура проблемы:
  Имя события проблемы:    BlueScreen
  Версия ОС:    6.1.7601.2.1.0.256.4
  Код языка:    1049

Дополнительные сведения об этой проблеме:
  BCCode:    3b
  BCP1:    00000000C0000005
  BCP2:    FFFFF88002740250
  BCP3:    FFFFF8800CF221C0
  BCP4:    0000000000000000
  OS Version:    6_1_7601
  Service Pack:    1_0
  Product:    256_1
@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Feb 21, 2017

I have an idea, guys.

As I see, problems occur inside of ekrn.exe and avp.exe files.
What if we completely disable filtering of these both processes with two explicit rules?

@confessor-adguard

This comment has been minimized.

Copy link

confessor-adguard commented Feb 22, 2017

@ameshkov, I think we can make a test build and check this idea.

@confessor-adguard

This comment has been minimized.

@Bohdan-SUP

This comment has been minimized.

Copy link

Bohdan-SUP commented Feb 22, 2017

Sent to 1485773 and 1503381. Will update when they reply.

@caleb59

This comment has been minimized.

Copy link

caleb59 commented Feb 23, 2017

Test build installed, started new tests, thank you!

@Yana-SUP

This comment has been minimized.

Copy link

Yana-SUP commented Feb 23, 2017

1503381
no crashes

@caleb59

This comment has been minimized.

Copy link

caleb59 commented Feb 23, 2017

1485773
It's me...
Well I need a couple of days more to closely test this new build, we'll be in touch...

@moraks

This comment has been minimized.

Copy link

moraks commented Feb 24, 2017

Hi, I've got 5 BSOD for 5 days after install Adguard 6.1.314.1628. All of them with code SYSTEM_SERVICE_EXCEPTION (3b).
Problem with Kaspersky IS driver klwtp.sys 17.0.0.611(c). But without ADG Kaspersky works stably, and Kaspersky support do not want to resolve this problem.
Bugcheck Analysis lastest minidump:
Debug_log2_24.txt

@skipik

This comment has been minimized.

Copy link

skipik commented Feb 24, 2017

Hello, I got a BSOD too.
Adguard 6.1.314.1628, KIS 18.0.0.405, Windows 10 x64 v1607.
I have minidump and a full system dump: https://yadi.sk/d/HTmNsOo43EXVUF
111.txt

@caleb59

This comment has been minimized.

Copy link

caleb59 commented Feb 24, 2017

Please uninstall 6.1.314.1628 first and test with me this new build: https://www.dropbox.com/s/bitzqnbgwp4chn7/Setup.exe?dl=0
One person already confirmed no crashes...

@skipik

This comment has been minimized.

Copy link

skipik commented Feb 24, 2017

Ok, I'll try that test build, thanks!

@moraks

This comment has been minimized.

Copy link

moraks commented Feb 25, 2017

New BSOD with recommend ADG 6.1.315.1633, but another "Caused By Address : NETIO.SYS+e9f3"

On visit https://my.kaspersky.com/support/requests in Firefox 51.

Bugcheck Analysis

==================================================
Dump File         : 022517-7953-01.dmp
Crash Time        : 25.02.2017 12:49:55
Bug Check String  : SYSTEM_SERVICE_EXCEPTION
Bug Check Code    : 0x0000003b
Parameter 1       : 00000000`c0000005
Parameter 2       : fffff804`bee9e9f3
Parameter 3       : ffffda01`01ff8fd0
Parameter 4       : 00000000`00000000
Caused By Driver  : NETIO.SYS
Caused By Address : NETIO.SYS+e9f3
File Description  : Network I/O Subsystem
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 10.0.14393.0 (rs1_release.160715-1616)
Processor         : x64
Crash Address     : ntoskrnl.exe+14a6f0
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\WINDOWS\Minidump\022517-7953-01.dmp
Processors Count  : 8
Major Version     : 15
Minor Version     : 14393
Dump File Size    : 445 903
Dump File Time    : 25.02.2017 12:50:18
==================================================

Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\Minidump\022517-7953-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred cacheA:\MySymbols
Deferred srv
http://msdl.microsoft.com/download/symbols
Symbol search path is: cacheA:\MySymbols;srvhttp://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 14393 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 14393.693.amd64fre.rs1_release.161220-1747
Machine Name:
Kernel base = 0xfffff800eac7a000 PsLoadedModuleList = 0xfffff800eaf7f060
Debug session time: Sat Feb 25 12:49:55.440 2017 (UTC + 7:00)
System Uptime: 0 days 0:10:41.245
Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................................
................................................................
................................................................
..........
Loading User Symbols
Loading unloaded module list
...........


                                                                         *
                    Bugcheck Analysis                         *
                                                                         *

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff804bee9e9f3, ffffda0101ff8fd0, 0}

*** WARNING: Unable to verify timestamp for klwtp.sys
*** ERROR: Module load completed but symbols could not be loaded for klwtp.sys
Probably caused by : NETIO.SYS ( NETIO!StreamInvokeCalloutAndNormalizeAction+20f )

Followup: MachineOwner

6: kd> !analyze -v


                                                                         *
                    Bugcheck Analysis                         *
                                                                         *

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff804bee9e9f3, Address of the instruction which caused the bugcheck
Arg3: ffffda0101ff8fd0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 10.0.14393.693 (rs1_release.161220-1747)

SYSTEM_MANUFACTURER: ASUSTeK COMPUTER INC.

SYSTEM_PRODUCT_NAME: N750JV

SYSTEM_SKU: ASUS-NotebookSKU

SYSTEM_VERSION: 1.0

BIOS_VENDOR: American Megatrends Inc.

BIOS_VERSION: N750JV.210

BIOS_DATE: 04/11/2014

BASEBOARD_MANUFACTURER: ASUSTeK COMPUTER INC.

BASEBOARD_PRODUCT: N750JV

BASEBOARD_VERSION: 1.0

DUMP_TYPE: 2

DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff804bee9e9f3

BUGCHECK_P3: ffffda0101ff8fd0

BUGCHECK_P4: 0

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 -

FAULTING_IP:
NETIO!StreamInvokeCalloutAndNormalizeAction+20f
fffff804`bee9e9f3 4183785003 cmp dword ptr [r8+50h],3

CONTEXT: ffffda0101ff8fd0 -- (.cxr 0xffffda0101ff8fd0)
rax=ffffb28ed5a4ab01 rbx=ffffda0101ff9b70 rcx=ffffda00fcf16100
rdx=0000000000001001 rsi=ffffda0101ff9b40 rdi=ffffb28ed5a4abe0
rip=fffff804bee9e9f3 rsp=ffffda0101ff99e0 rbp=ffffda0101ff9a69
r8=0000000000000000 r9=0000000000000014 r10=fffff804beef1ae0
r11=00000000000add3c r12=0000000000000000 r13=0000000000000004
r14=ffffda0101ff9e40 r15=fffff804beef1000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
NETIO!StreamInvokeCalloutAndNormalizeAction+0x20f:
fffff804bee9e9f3 4183785003 cmp dword ptr [r8+50h],3 ds:002b:0000000000000050=????????
Resetting default scope

CPU_COUNT: 8

CPU_MHZ: 95a

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3c

CPU_STEPPING: 3

CPU_MICROCODE: 6,3c,3,0 (F,M,S,R) SIG: 1E'00000000 (cache) 1E'00000000 (init)

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: avp.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: MORAKSHOME

ANALYSIS_SESSION_TIME: 02-25-2017 13:00:07.0805

ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

LAST_CONTROL_TRANSFER: from fffff804bee9e1a0 to fffff804bee9e9f3

STACK_TEXT:
ffffda0101ff99e0 fffff804bee9e1a0 : ffffb28ed5a4abe0 ffffb28ed5a4abe0 0000000000000000 ffffda0101ff9e40 : NETIO!StreamInvokeCalloutAndNormalizeAction+0x20f
ffffda0101ff9ac0 fffff804bee9d8b7 : ffffb28ecc5b0014 fffff804c19f1890 ffffb28e00000001 ffffb28ed5bf0620 : NETIO!StreamProcessCallout+0x434
ffffda0101ff9c00 fffff804bee9d02e : 0000000000000014 ffffb28ed5bf0620 ffffb28ed5aacd90 ffffda0101ffa2c0 : NETIO!ProcessCallout+0x6b7
ffffda0101ff9d80 fffff804bee9b1c3 : ffffb28ecc492680 ffffda0101ff9fc0 0000000000000000 ffffda0101ffa620 : NETIO!ArbitrateAndEnforce+0x4ee
ffffda0101ff9ec0 fffff804beedbc65 : ffffb28ecdd2c040 fffff804beea0a95 ffffda0101ffb000 ffffb28ecb43b540 : NETIO!KfdClassify+0x303
ffffda0101ffa270 fffff804beedb708 : 0000000000000000 ffffda0101ffa411 00000000000000e5 0000000000000000 : NETIO!StreamInternalClassify+0x109
ffffda0101ffa390 fffff804beed8e25 : 0000000000000014 ffffb28ed5aacbe0 0000000000000000 ffff9e0f6a0cadc0 : NETIO!StreamInject+0x214
ffffda0101ffa460 fffff804bf1d683d : ffffb28ed5aacbe0 0000000000000144 0000000000000000 ffff9e0f00000011 : NETIO!FwppStreamInject+0x135
ffffda0101ffa4f0 fffff804c23e9f96 : ffffb28ed60c8ee0 ffffda0101ffa5c1 ffffb28eccf78380 ffffa10800000002 : fwpkclnt!FwpsStreamInjectAsync0+0xfd
ffffda0101ffa550 ffffb28ed60c8ee0 : ffffda0101ffa5c1 ffffb28eccf78380 ffffa10800000002 ffffb28e00000144 : klwtp+0x9f96
ffffda0101ffa558 ffffda0101ffa5c1 : ffffb28eccf78380 ffffa10800000002 ffffb28e00000144 0000000000000014 : 0xffffb28ed60c8ee0 ffffda0101ffa560 ffffb28eccf78380 : ffffa10800000002 ffffb28e00000144 0000000000000014 ffffda0100000011 : 0xffffda0101ffa5c1
ffffda0101ffa568 ffffa10800000002 : ffffb28e00000144 0000000000000014 ffffda0100000011 ffff9e0f6a0cadc0 : 0xffffb28eccf78380 ffffda0101ffa570 ffffb28e00000144 : 0000000000000014 ffffda0100000011 ffff9e0f6a0cadc0 00000000000000e5 : 0xffffa10800000002
ffffda0101ffa578 0000000000000014 : ffffda0100000011 ffff9e0f6a0cadc0 00000000000000e5 fffff804c23ea158 : 0xffffb28e00000144 ffffda0101ffa580 ffffda0100000011 : ffff9e0f6a0cadc0 00000000000000e5 fffff804c23ea158 ffffb28eccf78380 : 0x14 ffffda0101ffa588 ffff9e0f6a0cadc0 : 00000000000000e5 fffff804c23ea158 ffffb28eccf78380 0000000000000000 : 0xffffda0100000011
ffffda0101ffa590 00000000000000e5 : fffff804c23ea158 ffffb28eccf78380 0000000000000000 ffff9e0f6a0cadc0 : 0xffff9e0f6a0cadc0 ffffda0101ffa598 fffff804c23ea158 : ffffb28eccf78380 0000000000000000 ffff9e0f6a0cadc0 0000000000000000 : 0xe5 ffffda0101ffa5a0 ffffb28eccf78380 : 0000000000000000 ffff9e0f6a0cadc0 0000000000000000 0000000000000000 : klwtp+0xa158 ffffda0101ffa5a8 0000000000000000 : ffff9e0f6a0cadc0 0000000000000000 0000000000000000 ffffb28ed14fb9b0 : 0xffffb28eccf78380

THREAD_SHA1_HASH_MOD_FUNC: 2c018f1dfce0cae4c489b59e6edf4402bbbcf051

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 4ff7ea13cd5f8516b4cdc6da482517c7dcc1ef1e

THREAD_SHA1_HASH_MOD: 84778420a322981a7404490bc5a15604351d819c

FOLLOWUP_IP:
NETIO!StreamInvokeCalloutAndNormalizeAction+20f
fffff804`bee9e9f3 4183785003 cmp dword ptr [r8+50h],3

FAULT_INSTR_CODE: 50788341

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: NETIO!StreamInvokeCalloutAndNormalizeAction+20f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME: NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 57899b40

IMAGE_VERSION: 10.0.14393.0

STACK_COMMAND: .cxr 0xffffda0101ff8fd0 ; kb

BUCKET_ID_FUNC_OFFSET: 20f

FAILURE_BUCKET_ID: 0x3B_NETIO!StreamInvokeCalloutAndNormalizeAction

BUCKET_ID: 0x3B_NETIO!StreamInvokeCalloutAndNormalizeAction

PRIMARY_PROBLEM_CLASS: 0x3B_NETIO!StreamInvokeCalloutAndNormalizeAction

TARGET_TIME: 2017-02-25T05:49:55.000Z

OSBUILD: 14393

OSSERVICEPACK: 693

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2016-12-21 13:50:57

BUILDDATESTAMP_STR: 161220-1747

BUILDLAB_STR: rs1_release

BUILDOSVER_STR: 10.0.14393.693

ANALYSIS_SESSION_ELAPSED_TIME: 469

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x3b_netio!streaminvokecalloutandnormalizeaction

FAILURE_ID_HASH: {5c8d1e60-d80c-cb2d-a65a-8d02e5eeeffd}

Followup: MachineOwner

You may connect to my PC with teamviewer for detail debug (russian interface).

Minidump 022517-7953-01.zip

@moraks

This comment has been minimized.

Copy link

moraks commented Feb 25, 2017

BSOD № 2 with recommend ADG 6.1.315.1633, Caused By Address : NETIO.SYS+dff8"
On visit https://e.mail.ru in Firefox 51. :(

Bugcheck Analysis 2

==================================================

Dump File : 022517-8203-01.dmp
Crash Time : 25.02.2017 13:45:12
Bug Check String : SYSTEM_SERVICE_EXCEPTION
Bug Check Code : 0x0000003b
Parameter 1 : 00000000c0000005 Parameter 2 : fffff8050553dff8
Parameter 3 : ffffd301689da0b0 Parameter 4 : 0000000000000000
Caused By Driver : NETIO.SYS
Caused By Address : NETIO.SYS+dff8
File Description : Network I/O Subsystem
Product Name : Microsoft Windows Operating System
Company : Microsoft Corporation
File Version : 10.0.14393.0 (rs1_release.160715-1616)
Processor : x64
Crash Address : ntoskrnl.exe+14a6f0
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\022517-8203-01.dmp
Processors Count : 8
Major Version : 15
Minor Version : 14393
Dump File Size : 444367
Dump File Time : 25.02.2017 13:45:35

==================================================

Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\Minidump\022517-8203-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 14393 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 14393.693.amd64fre.rs1_release.161220-1747
Machine Name:
Kernel base = 0xfffff8031548d000 PsLoadedModuleList = 0xfffff80315792060
Debug session time: Sat Feb 25 13:45:12.164 2017 (UTC + 7:00)
System Uptime: 0 days 0:54:59.967
Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................................
................................................................
................................................................
..........
Loading User Symbols
Loading unloaded module list
...........


                                                                         *
                    Bugcheck Analysis                                    *
                                                                         *

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff8050553dff8, ffffd301689da0b0, 0}

*** WARNING: Unable to verify timestamp for klwtp.sys
*** ERROR: Module load completed but symbols could not be loaded for klwtp.sys
Probably caused by : NETIO.SYS ( NETIO!StreamProcessCallout+28c )

Followup: MachineOwner

7: kd> !analyze -v


                                                                        *
                    Bugcheck Analysis                                    *
                                                                         *

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8050553dff8, Address of the instruction which caused the bugcheck
Arg3: ffffd301689da0b0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 10.0.14393.693 (rs1_release.161220-1747)

SYSTEM_MANUFACTURER: ASUSTeK COMPUTER INC.

SYSTEM_PRODUCT_NAME: N750JV

SYSTEM_SKU: ASUS-NotebookSKU

SYSTEM_VERSION: 1.0

BIOS_VENDOR: American Megatrends Inc.

BIOS_VERSION: N750JV.210

BIOS_DATE: 04/11/2014

BASEBOARD_MANUFACTURER: ASUSTeK COMPUTER INC.

BASEBOARD_PRODUCT: N750JV

BASEBOARD_VERSION: 1.0

DUMP_TYPE: 2

DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8050553dff8

BUGCHECK_P3: ffffd301689da0b0

BUGCHECK_P4: 0

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 -

FAULTING_IP:
NETIO!StreamProcessCallout+28c
fffff805`0553dff8 483988b0000000 cmp qword ptr [rax+0B0h],rcx

CONTEXT: ffffd301689da0b0 -- (.cxr 0xffffd301689da0b0)
rax=0000000000000000 rbx=ffffae8a3ef274c0 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=ffffd301689dae40
rip=fffff8050553dff8 rsp=ffffd301689daac0 rbp=ffffd301689dabb1
r8=fffff80505591ae0 r9=0000000000000000 r10=00000000000000e5
r11=ffffd301689daaa0 r12=0000000000000001 r13=ffffae8a41e14a01
r14=ffffd301689db2c0 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
NETIO!StreamProcessCallout+0x28c:
fffff8050553dff8 483988b0000000 cmp qword ptr [rax+0B0h],rcx ds:002b:00000000000000b0=????????????????
Resetting default scope

CPU_COUNT: 8

CPU_MHZ: 95a

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3c

CPU_STEPPING: 3

CPU_MICROCODE: 6,3c,3,0 (F,M,S,R) SIG: 1E'00000000 (cache) 1E'00000000 (init)

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: avp.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: MORAKSHOME

ANALYSIS_SESSION_TIME: 02-25-2017 13:57:02.0602

ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

LAST_CONTROL_TRANSFER: from fffff8050553d8b7 to fffff8050553dff8

STACK_TEXT:
ffffd301689daac0 fffff8050553d8b7 : ffffae8a361c0014 fffff80507479fc0 ffffae8a00000000 ffffae8a41e14aa0 : NETIO!StreamProcessCallout+0x28c
ffffd301689dac00 fffff8050553d02e : 0000000000000014 ffffae8a41e14aa0 ffffae8a4097c620 ffffd301689db2c0 : NETIO!ProcessCallout+0x6b7
ffffd301689dad80 fffff8050553b1c3 : ffffae8a361bcac0 ffffd301689dafc0 0000000000000000 ffffd301689db620 : NETIO!ArbitrateAndEnforce+0x4ee
ffffd301689daec0 fffff8050557bc65 : ffffae8a37937c40 fffff80505540a95 ffffd301689dc000 ffffae8a3503b540 : NETIO!KfdClassify+0x303
ffffd301689db270 fffff8050557b708 : 0000000000000000 ffffd301689db411 00000000000000e5 0000000000000000 : NETIO!StreamInternalClassify+0x109
ffffd301689db390 fffff80505578e25 : 0000000000000014 ffffae8a4097c470 0000000000000000 ffffab8cc3a14dc0 : NETIO!StreamInject+0x214
ffffd301689db460 fffff8050610683d : ffffae8a4097c470 0000000000000160 0000000000000000 ffffab8c00000011 : NETIO!FwppStreamInject+0x135
ffffd301689db4f0 fffff805075f9f96 : ffffae8a3efea8f0 ffffd301689db5c1 ffffae8a3d449370 ffffc00a00000002 : fwpkclnt!FwpsStreamInjectAsync0+0xfd
ffffd301689db550 ffffae8a3efea8f0 : ffffd301689db5c1 ffffae8a3d449370 ffffc00a00000002 ffffae8a00000160 : klwtp+0x9f96
ffffd301689db558 ffffd301689db5c1 : ffffae8a3d449370 ffffc00a00000002 ffffae8a00000160 0000000000000014 : 0xffffae8a3efea8f0 ffffd301689db560 ffffae8a3d449370 : ffffc00a00000002 ffffae8a00000160 0000000000000014 ffffd30100000011 : 0xffffd301689db5c1
ffffd301689db568 ffffc00a00000002 : ffffae8a00000160 0000000000000014 ffffd30100000011 ffffab8cc3a14dc0 : 0xffffae8a3d449370 ffffd301689db570 ffffae8a00000160 : 0000000000000014 ffffd30100000011 ffffab8cc3a14dc0 00000000000000e5 : 0xffffc00a00000002
ffffd301689db578 0000000000000014 : ffffd30100000011 ffffab8cc3a14dc0 00000000000000e5 fffff805075fa158 : 0xffffae8a00000160 ffffd301689db580 ffffd30100000011 : ffffab8cc3a14dc0 00000000000000e5 fffff805075fa158 ffffae8a3d449370 : 0x14 ffffd301689db588 ffffab8cc3a14dc0 : 00000000000000e5 fffff805075fa158 ffffae8a3d449370 0000000000000000 : 0xffffd30100000011
ffffd301689db590 00000000000000e5 : fffff805075fa158 ffffae8a3d449370 0000000000000000 ffffab8cc3a14dc0 : 0xffffab8cc3a14dc0 ffffd301689db598 fffff805075fa158 : ffffae8a3d449370 0000000000000000 ffffab8cc3a14dc0 0000000000000000 : 0xe5 ffffd301689db5a0 ffffae8a3d449370 : 0000000000000000 ffffab8cc3a14dc0 0000000000000000 0000000000000000 : klwtp+0xa158 ffffd301689db5a8 0000000000000000 : ffffab8cc3a14dc0 0000000000000000 0000000000000000 ffffae8a409f9ff0 : 0xffffae8a3d449370

THREAD_SHA1_HASH_MOD_FUNC: 7e6e1c8c062954d8d2e881fb670b34d3ff2a27ff

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 76393709d522da748bdf3745ef3852d95e90938b

THREAD_SHA1_HASH_MOD: 34ca1b6dee43c706b6f7d98fed4799cba6be99e2

FOLLOWUP_IP:
NETIO!StreamProcessCallout+28c
fffff805`0553dff8 483988b0000000 cmp qword ptr [rax+0B0h],rcx

FAULT_INSTR_CODE: b0883948

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: NETIO!StreamProcessCallout+28c

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME: NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 57899b40

IMAGE_VERSION: 10.0.14393.0

STACK_COMMAND: .cxr 0xffffd301689da0b0 ; kb

BUCKET_ID_FUNC_OFFSET: 28c

FAILURE_BUCKET_ID: 0x3B_NETIO!StreamProcessCallout

BUCKET_ID: 0x3B_NETIO!StreamProcessCallout

PRIMARY_PROBLEM_CLASS: 0x3B_NETIO!StreamProcessCallout

TARGET_TIME: 2017-02-25T06:45:12.000Z

OSBUILD: 14393

OSSERVICEPACK: 693

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2016-12-21 13:50:57

BUILDDATESTAMP_STR: 161220-1747

BUILDLAB_STR: rs1_release

BUILDOSVER_STR: 10.0.14393.693

ANALYSIS_SESSION_ELAPSED_TIME: 53d

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x3b_netio!streamprocesscallout

FAILURE_ID_HASH: {12d5d042-1527-3ed4-7567-edbc67fa5418}

Followup: MachineOwner

7: kd> .cxr 0xffffd301689da0b0
rax=0000000000000000 rbx=ffffae8a3ef274c0 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=ffffd301689dae40
rip=fffff8050553dff8 rsp=ffffd301689daac0 rbp=ffffd301689dabb1
r8=fffff80505591ae0 r9=0000000000000000 r10=00000000000000e5
r11=ffffd301689daaa0 r12=0000000000000001 r13=ffffae8a41e14a01
r14=ffffd301689db2c0 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
NETIO!StreamProcessCallout+0x28c:
fffff8050553dff8 483988b0000000 cmp qword ptr [rax+0B0h],rcx ds:002b:00000000000000b0=????????????????

Minidump_022517-8203-01.zip

@caleb59

This comment has been minimized.

Copy link

caleb59 commented Feb 25, 2017

Again random BSOD on test build, I'm going back to 6.1.314.1628 and turn off WFP driver...
I think you're right @The-Commissioner

@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Feb 25, 2017

New report:
022417-35484-01.zip

@ameshkov ameshkov added this to the 6.1 R3 milestone Feb 25, 2017
@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Feb 25, 2017

@suhan3z patch for WFP driver has arrived. I need you to rebuild and sign it asap.

Analysis from the driver dev:

The situation is pretty much the same, that was in Windows Defender case, TCP context is destroyed when disconnect arrives after a FIN packet with data.
The only change in the patched driver is WFP layers order, so that incoming packets were going through an AV driver.

UPD: one more thing. We currently disable special treatment for FINs with data in the case when Windows Defender is disabled. Maybe, it'd be enough to use it for all cases including KIS and ESET.

@moraks

This comment has been minimized.

Copy link

moraks commented Feb 26, 2017

I'm turn off WFP driver too. ~12 h without BSOD...

@moraks

This comment has been minimized.

Copy link

moraks commented Feb 26, 2017

I'm enable memory limit to 2046Mb and 6 hours work with Turn on WFP driver without BSOD.
Then i'm disable memory limit and BSOD has occurred after 10 minutes after reboot.

@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Feb 26, 2017

@moraks wait for the next build please, there is a big chance, that we have found out the cause of the issue.

@moraks

This comment has been minimized.

Copy link

moraks commented Feb 27, 2017

New BSOD with adgnetworktdidrv.sys (I'm turn off WFP driver).
Acestream and adguard main folders added to exceptions list of KIS...
Debug log:
debug_27.txt

I have fulldump (8Gb), sysinfo see at previous post
Upd: Adguard filtration Acestream are disabled.

@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Mar 28, 2017

Guys, I'd like to say thank you very much for all the help!

As a small token of our thanks, I'd love to provide each of you with an AG lifetime license key and also send you a nice souvenir:

16464899_1871101509832597_1758129847411933184_n jpg 480x480 2017-03-28 13-47-24

Please contact me at am at adguard.com to get it all:) I'll also need to know your mailing address.

@BooBerry

This comment has been minimized.

Copy link

BooBerry commented Mar 28, 2017

I guess the Volga with men in black suits still isn't parked outside? :P

Still, no issues with BSODs here, even when running cFosSpeed (which I'm going to nuke now, then fresh install the Windows 10 Creator's Update 'RTM'). I suppose this issue isn't the last you guys will hear about it either as I'm sure other BSODs caused by other vendors will pop up in the future. As long as the minidumps are provided, hopefully they can be worked around like ESET, Kaspersky and Avast. There's also the chance ESET, Kaspersky and Avira will change their drivers again in future update, which could lead to these type of issues repeating.

Such is life, it seems, with WFP in general. Wish Microsoft would actually address these WFP issues on their side. Have you tried reporting them? Who knows, it could be something they address in Redstone 3.

@caleb59

This comment has been minimized.

Copy link

caleb59 commented Mar 28, 2017

Yes, I think that ESET issue is solved, no BSOD's so far - thank God!

Men in black suits are gone for a beer hehe...

If something bad will happen in the future (Creator's Update/ESET update) then I'll inform you all - for now it's time to finally chill out for me...

@ameshkov message send...
I would like to thank everyone involved in this issue and especially to AdGuard Team for their hard work!

@BooBerry

This comment has been minimized.

Copy link

BooBerry commented Mar 28, 2017

Might be time to push the RC to stable then? Assuming, of course, nothing is broken (e.g. TDI driver). :P

@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Mar 28, 2017

Yup, we're conducting an inner test now, I hope tomorrow we'll be ready to finally publish it.

@skipik

This comment has been minimized.

Copy link

skipik commented Mar 28, 2017

I'm on Adguard 6.1.331.1732 RC + KTS 18.0.0.405(a) and everything is good! Thank you for fixing those BSODs! :)

@BooBerry

This comment has been minimized.

Copy link

BooBerry commented Mar 28, 2017

@The-Commissioner you might qualify for Andrey's small token (he didn't specify who did or didn't, actually). After all, you have helped out quite a bit!

Hopefully 331 is indeed the magic number. Still no issues, and I'm about to do my upgrade/clean install of the Creators Update of Windows 10.

@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Mar 28, 2017

Guys, everybody in this thread are qualified :)

@skipik

This comment has been minimized.

Copy link

skipik commented Mar 29, 2017

@ameshkov Oh gosh! I got a BSOD with Stealth Mode enabled. Will upload dumps now.
https://www.dropbox.com/s/q9eok8htcl4n8tk/032917-8171-01.dmp.zip?dl=0
There's no full memory dump tho.

@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Mar 29, 2017

@skipik never saw anything like that.

The BSOD is inside of the netio.sys, no link to any WFP call at all:

STACK_TEXT:  
ffff8000`d8c06aa0 00000000`00000000 : ffffb705`f14f2830 00000000`00000004 ffff8000`d8c07340 ffffb705`f2c14301 : NETIO+0x128f3
@caleb59

This comment has been minimized.

Copy link

caleb59 commented Mar 29, 2017

@skipik you can try to run CMD as admin and type: sfc /scannow - check if there are any issues in your system files...

@skipik

This comment has been minimized.

Copy link

skipik commented Mar 29, 2017

@caleb59 I know that. There are no issues at all. Just enabled stealth mode yesterday and got that bsod today.

@BooBerry

This comment has been minimized.

Copy link

BooBerry commented Mar 29, 2017

Well, the BSOD didn't have any link to any WFP calls, which would pretty much would rule out the WFP driver (and probably Adguard along with it) being the cause, IMO.

@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Mar 29, 2017

Who knows, it might be a complicated compatibility issue.

Anyway, there's not much we can do with the minidump. Let's wait a bit, if the issue occurs again, let's create a separate task for it as it does not seem to be linked to the original issue.

@skipik

This comment has been minimized.

Copy link

skipik commented Mar 29, 2017

@The-Commissioner

  1. Patch A for KTS, but it's installed for a week already. I didn't have any problems untill I enabled Stealth Mode.
  2. I installed Win 10 15063 v1703.
  3. It was the same as with the BSODs we had earlier. I was watching some sites and then oups.
  4. Sure, I can.

There wasn't any problems without stealh mode, so I disabled it for now.

@BooBerry

This comment has been minimized.

Copy link

BooBerry commented Mar 29, 2017

It could be related to the Creator's Update.

By chance were you using Edge? If so is TCP Fast Open enabled or disabled?

@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Mar 29, 2017

@skipik could you please also enable full or auto dumps in Win settings? When an issue is that complicated, minidump is almost useless.

@skipik

This comment has been minimized.

Copy link

skipik commented Mar 29, 2017

@BooBerry I use Opera.
@ameshkov It were enabled, cus I test stuff for Kaspersky Lab too and they always accept only full memory dumps. So I dunno why I don't have it this time.

@skipik

This comment has been minimized.

Copy link

skipik commented Mar 29, 2017

@skipik

This comment has been minimized.

Copy link

skipik commented Mar 29, 2017

Yeah, I enabled to block location api, push api and webrtc. It might be the reason?

@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Mar 29, 2017

@skipik the only relevant thing is WebRTC blocking. You see, that's the only thing that works on the kernel level, blocking access to STUN servers.

@BooBerry

This comment has been minimized.

Copy link

BooBerry commented Mar 29, 2017

Strange, I have Stealth Mode enabled (only the WebRTC option enabled) and haven't encountered any issues. I'll keep testing on the ESET side of things.

@skipik

This comment has been minimized.

Copy link

skipik commented Mar 29, 2017

I think maybe u shud reenable stealth mode with these two disable

@The-Commissioner
I have it enabled now, but with these settings:
[ ] Block WebRTC
[ ] Block PushAPI
[x] Block location API

Let's test it for a bit. :)

@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Mar 31, 2017

Guys, I guess it's time to close this particular issue:)

@skipik regarding KIS vs Stealth Mode compatibility, I guess it'd be better to file a new issue if it occurs again. Also, I suppose that it won't happen in your current configuration as I still suppose that blocking WebRTC is the only thing which might be connected to the issue.

@ameshkov ameshkov closed this Mar 31, 2017
@skipik

This comment has been minimized.

Copy link

skipik commented Mar 31, 2017

@The-Commissioner Its going good, no problems so far. I use default settings now and it means that I set to block only location API.
@ameshkov Yeah, ok.

@skipik

This comment has been minimized.

Copy link

skipik commented Apr 10, 2017

@ameshkov Hey! Just got another BSOD with only block location API enabled. And I finally have full memory dump. Should I make another issue?

@ameshkov

This comment has been minimized.

Copy link
Member

ameshkov commented Apr 10, 2017

@skipik sure, it'd be better to discuss it in a separate issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.