Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BSOD. KMODE_EXCEPTION_NOT_HANDLED in FwppInjectComplete #129

Closed
Odnoburtsev opened this issue Apr 24, 2018 · 15 comments
Closed

BSOD. KMODE_EXCEPTION_NOT_HANDLED in FwppInjectComplete #129

Odnoburtsev opened this issue Apr 24, 2018 · 15 comments

Comments

@Odnoburtsev
Copy link

@Odnoburtsev Odnoburtsev commented Apr 24, 2018

Driver version is 1.4

I compiled WebFilter sample and ran it. To check driver's speed I wrote a tool that makes parallel web requests (100 threads, each request uses a new port) and measures average response time. System crash was occurred (KMODE_EXCEPTION_NOT_HANDLED, EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s).

STACK_TEXT:  

ffffd000`2dda43c8 fffff800`cd601c4e : 00000000`0000001e ffffffff`c0000005 fffff801`76f6a6dd 00000000`00000000 : nt!KeBugCheckEx
ffffd000`2dda43d0 fffff800`cd576eed : ffffd000`2dda4b40 00000000`00000000 ffffd000`2dda5338 ffffd000`2dda4540 : nt!KiFatalExceptionHandler+0x22
ffffd000`2dda4410 fffff800`cd4f9125 : 00000000`00000001 fffff800`cd41f000 ffffd000`2dda5301 00000000`00000000 : nt!RtlpExecuteHandlerForException+0xd
ffffd000`2dda4440 fffff800`cd4fd4de : ffffd000`2dda5338 ffffd000`2dda5040 ffffd000`2dda5338 00000000`00000000 : nt!RtlDispatchException+0x1a5
ffffd000`2dda4b10 fffff800`cd57b5c2 : ffffe000`a952ace0 00000000`00000001 ffffd000`2dda5290 fffff801`77230eff : nt!KiDispatchException+0x646
ffffd000`2dda5200 fffff800`cd579afe : ffffe000`a94cf8a0 00000000`00000001 00000000`00000000 00000000`00000000 : nt!KiExceptionDispatch+0xc2
ffffd000`2dda53e0 fffff801`76f6a6dd : ffffe000`aa56b240 ffffe000`aab49850 00000000`00000000 00000000`00000000 : nt!KiGeneralProtectionFault+0xfe
ffffd000`2dda5570 fffff801`764018c1 : ffffe000`aab49850 00000000`00000001 fffff801`7641a7b0 00000000`00000000 : fwpkclnt!FwppInjectComplete+0x79
ffffd000`2dda55b0 fffff801`76401402 : 00000000`00000000 ffffe000`aab49850 ffffd000`2dda5750 fffff801`775c9600 : NETIO!NetioDereferenceNetBufferList+0xc1
ffffd000`2dda5630 fffff801`76d433e7 : ffffe000`aab4f850 fffff801`7720a201 00000000`00000000 00000000`00000000 : NETIO!NetioDereferenceNetBufferListChain+0x2e2
ffffd000`2dda56d0 fffff801`764c9660 : 00000000`00000001 ffffd000`2dda5769 ffffe000`a7ecc1a0 fffff801`772038e7 : tcpip!FlSendNetBufferListChainComplete+0x57
ffffd000`2dda5700 fffff801`764c8ed1 : ffffe000`a7ecc1a0 ffffe000`aab4f850 fffff801`00000001 ffffe000`a930a500 : NDIS!ndisMSendCompleteNetBufferListsInternal+0x140
ffffd000`2dda57d0 fffff801`7774d1ec : ffffe000`a7ecc1a0 ffffe000`aab4f850 00000000`00000003 00000000`00000000 : NDIS!NdisMSendNetBufferListsComplete+0x4f1
ffffd000`2dda5940 fffff801`77742197 : 00000000`00000001 ffffe000`a92202f0 00000000`00000000 ffff0001`00000001 : e1i63x64!TRANSMIT::TxProcessInterrupts+0x37c
ffffd000`2dda59f0 fffff801`7774257e : ffffe000`a92202f0 ffffe000`00000000 ffff0001`00000001 ffff0001`00000001 : e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x207
ffffd000`2dda5a60 fffff801`77741b78 : ffffd000`2dda5b79 ffff0001`00000001 00000000`00000000 ffffe000`a7ecc1a0 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e
ffffd000`2dda5ac0 fffff801`764c4e02 : ffffe000`aafaf1f0 ffffe000`a7d083d8 ffffd000`2dda5c80 fffff800`cd6d1200 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28
ffffd000`2dda5b00 fffff800`cd4e9cd0 : 00000000`00000000 ffffd000`2dda5e70 ffffd000`2dda5e70 00000000`000000f0 : NDIS!ndisInterruptDpc+0x1a3
ffffd000`2dda5be0 fffff800`cd4e8f87 : 00000000`00000016 00000000`002540be 00000000`00000000 ffffd000`2dd75180 : nt!KiExecuteAllDpcs+0x1b0
ffffd000`2dda5d30 fffff800`cd572ad5 : 80000000`00880121 ffffd000`2dd75180 ffffd000`2a6f2a00 00000000`0202dd40 : nt!KiRetireDpcList+0xd7
ffffd000`2dda5fb0 fffff800`cd5728d9 : 00000000`00000001 00000000`0202dd40 00000000`00000000 00000000`fef69000 : nt!KxRetireDpcList+0x5
ffffd000`2ba6aac0 fffff800`cd574b45 : 00000000`77811b10 fffff800`cd570fb3 00000000`00000001 00000000`00000001 : nt!KiDispatchInterruptContinue
ffffd000`2ba6aaf0 fffff800`cd570fb3 : 00000000`00000001 00000000`00000001 00000000`00000001 00000000`fef69000 : nt!KiDpcInterruptBypass+0x25
ffffd000`2ba6ab00 00000000`72af3894 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiInterruptDispatch+0x173
00000000`07aaef78 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x72af3894

I started to investigate the reason of BSOD and found out that there are no crashes when the driver works in Sniff mode. In other words it seems that something going on during packet injection (perhaps only when callouts work).
Also I found out that it happens when some network-related tool is working at the time of working WinDivert driver (e.g. HP Velocity, Carbon Black Response, HP Security Client Package). There are no crashes when these tools work without WinDivert driver. Also there are no crashes when WinDivert driver works without these tools.

in most dump files a process that causes BSOD is a process that works with WinDivert driver, in some cases it is System process

@TechnikEmpire

This comment has been minimized.

Copy link

@TechnikEmpire TechnikEmpire commented Apr 24, 2018

Can we see the actual code used to create the crash? Would be super helpful to be able to reproduce at will.

I have sleep in my eyes still and I'm out of my element here but I'm confused as to why the trace is full of NDIS related calls when WFP != NDIS.

@TechnikEmpire

This comment has been minimized.

Copy link

@TechnikEmpire TechnikEmpire commented Apr 24, 2018

Any chance something like virtual box is installed or anything else that would create a virtual adapter? If I had to guess in my ignorance, I'd say you have a virtual adapter driver that is modifying it's packet buffer chain or doing some other no-no like not properly releasing such resources.

They get an exclusive lock they need to release and there's other rules they need to follow where such mistakes wouldn't become an issue in sniff mode but would be an issue where WinDivert or any other similar driver is actively capturing, popping and then reinjecting.

If you can, use the dev console that afaik comes with WDDK to enumerate all drivers, bring that dump here, then remove any such adapters and make sure their drivers are gone/unloaded, re-run your test and see if the issue doesn't go away.

Btw I'm just some dude not the driver author or anything so take my remarks in that context. :)

@basil00

This comment has been minimized.

Copy link
Owner

@basil00 basil00 commented Apr 24, 2018

Thanks for the report. As you noted, the problem seems to only occur when other network related (antivirus?) tools are active, which means the issue is likely related to #128. Strange that both issues appear so suddenly, so perhaps a recent windows update has exposed a new bug?

The stack trace also indicates a similar problem (although the bug check code is different). It appears to be a use-after-free problem of some kind. The symptoms are also similar to #110 but that problem was fixed.

This might be difficult to track down. The bug can be in WinDivert, the antivirus driver, the NIC driver (in this case appears to be e1i63x64), or even Windows itself (although this is unlikely).

Some follow-up questions:

  • Does the problem occur for inbound-only, outbound-only, or either?
  • Does the problem occur for WinDivert 1.3? or even 1.2?

I have sleep in my eyes still and I'm out of my element here but I'm confused as to why the trace is full of NDIS related calls when WFP != NDIS.

WFP is built on top of NDIS so there is a lot of overlap. From the stack trace, it appears that a packet has been dereferenced, and this is invoking some cleanup code, which is crashing. The packet is probably one constructed by WinDivert, or the antivirus driver, so there is a connection. That said, it seems the crash itself occurs outside of any driver.

Assuming everything is working as it should, and the packet is from WinDivert, then I assume the windivert_inject_complete function should be invoked. This function frees the packet WinDivert constructed after the packet has been injected. The current versions of WinDivert only ever inject packets that WinDivert itself has constructed from scratch.

@Odnoburtsev

This comment has been minimized.

Copy link
Author

@Odnoburtsev Odnoburtsev commented Apr 24, 2018

@TechnikEmpire , I'm not sure that source code of the tool will help us to understand what's going on. This tool has been written on .Net and has high-level logic. in any case the source code look like this

...
static void Main(string[] args)
{
   ...
   Parallel.ForEach(_urls, _parallelOptions, DownloadSinglePage);
   ...
}

static void DownloadSinglePage(string url, ParallelLoopState state, Int64 n)
{
   using (var webClient = new WebClient())
   {
      try
      {
         var page = webClient.DownloadString(url);
         ...
      }
      catch (WebException e)
      {
         ...
      }
   }
}

so, as you can see it just create a lot of small requests in both directions.

why the trace is full of NDIS related calls when WFP != NDIS.

I guess it is because WinDivert driver uses the same structures that NDIS level operates. For example, WinDivert creates NET_BUFFER_LIST in some cases and injects it into lower level.

Any chance something like virtual box is installed or anything else that would create a virtual adapter?

I reproduce this issue on VM, but i don't think that is important because I know that the issue is also reproduced on physical machine. The stack trace almost the same, for instance


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.


STACK_TEXT:  
fffff801`dbba9608 fffff801`d8e960b6 : 00000000`0000001e ffffffff`c0000005 fffff805`fe8a2819 00000000`00000000 : nt!KeBugCheckEx
fffff801`dbba9610 fffff801`d8e0d99d : fffff801`d9025000 fffff801`d8c9b000 00053694`00889000 00000000`00000000 : nt!KiFatalExceptionHandler+0x22
fffff801`dbba9650 fffff801`d8cc6d94 : 00000000`00000000 fffff801`dbba9780 00000000`00000000 00000000`00000000 : nt!RtlpExecuteHandlerForException+0xd
fffff801`dbba9680 fffff801`d8cc5b36 : fffff801`dbbaa558 fffff801`dbbaa2a0 fffff801`dbbaa558 fffff801`dbbaa558 : nt!RtlDispatchException+0x404
fffff801`dbba9d70 fffff801`d8e1298e : ffffa40d`83171010 fffff805`fe1addb1 00000000`00008000 ffffa40d`8317136b : nt!KiDispatchException+0x1f6
fffff801`dbbaa420 fffff801`d8e10c34 : 00000000`00000002 fffff806`00000000 ffffa40d`8333dc00 fffff805`fe531d5d : nt!KiExceptionDispatch+0xce
fffff801`dbbaa600 fffff805`fe8a2819 : 00000000`00000000 ffffa40d`832efab0 ffffa40d`82e54410 ffffa40d`832ef940 : nt!KiGeneralProtectionFault+0xf4
fffff801`dbbaa790 fffff805`fe5317d5 : ffffa40d`832ef940 ffffa40d`82c4e7b1 00000000`00000001 00000000`00000001 : fwpkclnt!FwppInjectComplete+0x79
fffff801`dbbaa7d0 fffff805`fe5316b9 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffa40d`7d840030 : NETIO!NetioDereferenceNetBufferList+0xa5
fffff801`dbbaa810 fffff805`fe6572e9 : 00000000`00000000 fffff806`0200a401 00000000`00000000 ffffa40d`7a750001 : NETIO!NetioDereferenceNetBufferListChain+0x289
fffff801`dbbaa890 fffff805`fe3f1d36 : 00000000`00000001 fffff801`dbbaa929 00000000`00000002 00000000`00000001 : tcpip!FlSendNetBufferListChainComplete+0x59
fffff801`dbbaa8c0 fffff805`fe3f1b03 : ffffa40d`7b49e100 ffffa40d`7bfb0002 ffffa40d`00000001 ffffa40d`7d840001 : ndis!ndisMSendCompleteNetBufferListsInternal+0x136
fffff801`dbbaa990 fffff806`03f0c681 : ffffa40d`7b49e1a0 00000000`00000001 00000000`00000ceb ffffa40d`7b49e102 : ndis!NdisMSendNetBufferListsComplete+0x213
fffff801`dbbaaa80 ffffa40d`7b49e1a0 : 00000000`00000001 00000000`00000ceb ffffa40d`7b49e102 00000000`00000000 : rt640x64+0x1c681
fffff801`dbbaaa88 00000000`00000001 : 00000000`00000ceb ffffa40d`7b49e102 00000000`00000000 00000000`00000000 : 0xffffa40d`7b49e1a0
fffff801`dbbaaa90 00000000`00000ceb : ffffa40d`7b49e102 00000000`00000000 00000000`00000000 00000000`00000400 : 0x1
fffff801`dbbaaa98 ffffa40d`7b49e102 : 00000000`00000000 00000000`00000000 00000000`00000400 00000000`00000004 : 0xceb
fffff801`dbbaaaa0 00000000`00000000 : 00000000`00000000 00000000`00000400 00000000`00000004 00000000`00000000 : 0xffffa40d`7b49e102

make sure their drivers are gone/unloaded, re-run your test and see if the issue doesn't go away.

In case when (in my case) HP Velocity is disabled or unloaded WinDivert works absolutely stably.

Strange that both issues appear so suddenly, so perhaps a recent windows update has exposed a new bug?

@basil00 I found out this behaviour a time ago (maybe months ago). First time, i was faced with this behaviour on 1.2 version. After that I started to read forums, source code and tickets on github. Nowadays I've also reproduced the issue both on 1.3 and on 1.4. as i can see, the logic of injection wasn't being changed a lot between versions.

The bug can be in WinDivert, the antivirus driver, the NIC driver

Of course, this is why i tried to understand the reason by myself. Moreover, also i didn't find any signs in literature that can say that Windivert performs injection in a wrong way. but from the other side the fact that there are a lot of wide-spreaded tools that have problems with WinDivert driver says us that perhaps WinDIvert driver could have problems.

Does the problem occur for inbound-only, outbound-only, or either?

I haven't made this test. i'll try to do it in a nearest future.

Also I have to mentioned that i'm not a driver specialist and all my knowledge is based on WinDIvert source code and MS topics.

I'm really worry that WinDivert separates NET_BUFFER_LIST into numerous of new one. I understand that the driver creates deep copies of NET_BUFFER and inject only newly allocated structures. But why filter's (FWPM_FILTER0) condition isn't used? Would this help to prevent splitting of NET_BUFFER_LIST structures?

@TechnikEmpire

This comment has been minimized.

Copy link

@TechnikEmpire TechnikEmpire commented Apr 24, 2018

@basil thanks for the info, I figured I was wrong haha. @Odnoburtsev thanks for sharing, that's actually really helpful to me because I'm more of a .net guy myself.

Thanks for reporting and helping the project. I wonder if this isn't bug in HP Velocity.

@basil00

This comment has been minimized.

Copy link
Owner

@basil00 basil00 commented Apr 25, 2018

I found out this behaviour a time ago (maybe months ago). First time, i was faced with this behaviour on 1.2 version. After that I started to read forums, source code and tickets on github. Nowadays I've also reproduced the issue both on 1.3 and on 1.4. as i can see, the logic of injection wasn't being changed a lot between versions.

Thanks, this is useful information to know. Actually, the mention of the e1i63x64.sys driver reminded me of a BSOD report I received privately (via email) in late 2017. The symptoms were: this driver installed and an antivirus running resulted in a BSOD with a stack trace very similar to the one you reported. At the time I had assumed it was just the Avast crash, but now I think it is another issue. I am not sure if the e1i63x64.sys driver is significant, since I think it is a common NIC driver.

Moreover, also i didn't find any signs in literature that can say that Windivert performs injection in a wrong way.

Eyeballing the code, there are no obvious issues. The purpose of the completion routine is to cleanup packets that were allocated, so at least I think the design should be OK. But this doesn't mean there are no subtle bugs.

I'm really worry that WinDivert separates NET_BUFFER_LIST into numerous of new one. I understand that the driver creates deep copies of NET_BUFFER and inject only newly allocated structures. But why filter's (FWPM_FILTER0) condition isn't used? Would this help to prevent splitting of NET_BUFFER_LIST structures?

WinDivert has always used its own filter mechanism rather than the WFP version (otherwise would need to translate the filter language into WFP filters, which I am not sure if it is worth the complexity). Actually, I am not sure what WFP does if a NET_BUFFER_LIST contains both matching and non-matching packets.

That said, it is difficult to trigger the path where WinDivert will split NET_BUFFER_LISTS. In every "natural" filter, either the whole list matches or none do. To trigger a split, you need to filter on something like checksums, so I do not think this is the issue.

@Odnoburtsev

This comment has been minimized.

Copy link
Author

@Odnoburtsev Odnoburtsev commented Apr 26, 2018

Does the problem occur for inbound-only, outbound-only, or either?

@basil00 , I've performed several tests that results are mentioned below. To prevent any kind of misunderstanding I'm not perform any analysing.

all tests had the next conditions: Windows Server 2012 R2 Essentials, WebFilter (+WinDivert64), HP Velocity and HttpMeter (tool to generate requests, it was mentioned earlier). WinDivert64 was recompiled for each test case in apropriate way (source code was based on WinDivert 1.4).
Each test case was done 5 times.

    1 2 3 4 5
1 inbound, ipv4 + ipv6 passed passed passed passed passed
2 inbound + forward, ipv4 + ipv6 passed passed passed passed passed
3 inbound + forward + outbound, ipv4 + ipv6 fail fail fail fail fail
4 outbound, ipv4 + ipv6 fail fail fail fail fail

Test case 1: only inbound callouts were installed
Test case 2: inbound callouts and forward callouts were installed
Test case 3: WinDivert 1.4
Test case 4: only outbound callouts were installed

Test case 1 and Test case 2 have done successfully in each iteration.

Test case 3 was being terminated with the next exceptions.

  • ipeaklwf.sys is LiveQoS NDIS 6 Filter Driver (part of HP Velocity)

3.1

KMODE_EXCEPTION_NOT_HANDLED
EXCEPTION_CODE: (NTSTATUS) 0xc0000005
PROCESS_NAME:  webfilter.exe

STACK_TEXT:  
fffff803`3dd5e3c8 fffff803`3c857c4e : 00000000`0000001e ffffffff`c0000005 fffff801`47b036dd 00000000`00000000 : nt!KeBugCheckEx
fffff803`3dd5e3d0 fffff803`3c7cceed : fffff803`3dd5eb40 00000000`00000000 fffff803`3dd5f338 fffff803`3dd5e540 : nt!KiFatalExceptionHandler+0x22
fffff803`3dd5e410 fffff803`3c74f125 : 00000000`00000001 fffff803`3c675000 fffff803`3dd5f301 ffffe001`00000000 : nt!RtlpExecuteHandlerForException+0xd
fffff803`3dd5e440 fffff803`3c7534de : fffff803`3dd5f338 fffff803`3dd5f040 fffff803`3dd5f338 00000000`00000000 : nt!RtlDispatchException+0x1a5
fffff803`3dd5eb10 fffff803`3c7d15c2 : fffff6fb`7dbc0020 fffff6fb`7dbede00 fffff803`3c93bc60 fffff6e7`c0f8a540 : nt!KiDispatchException+0x646
fffff803`3dd5f200 fffff803`3c7cfafe : ffff6d77`49d1282c 00000000`00010000 00000000`00000000 ffffe001`2b4276c8 : nt!KiExceptionDispatch+0xc2
fffff803`3dd5f3e0 fffff801`47b036dd : ffffe001`2f128400 ffffcf81`f12e0df0 00000000`00000000 00000000`00000000 : nt!KiGeneralProtectionFault+0xfe
fffff803`3dd5f570 fffff801`4720c8c1 : ffffcf81`f12e0df0 00000000`00000001 fffff801`472257b0 00000000`00000000 : fwpkclnt!FwppInjectComplete+0x79
fffff803`3dd5f5b0 fffff801`4720c402 : 00000000`00000000 ffffcf81`f12e0df0 fffff803`3dd5f750 fffff801`48176600 : NETIO!NetioDereferenceNetBufferList+0xc1
fffff803`3dd5f630 fffff801`478dc3e7 : ffffcf81`f14a8df0 fffff801`4800a201 00000000`00000000 00000000`00000000 : NETIO!NetioDereferenceNetBufferListChain+0x2e2
fffff803`3dd5f6d0 fffff801`470fc660 : 00000000`00000001 fffff803`3dd5f769 ffffe001`2dd361a0 fffff801`480038e7 : tcpip!FlSendNetBufferListChainComplete+0x57
fffff803`3dd5f700 fffff801`470fbed1 : ffffe001`2dd361a0 ffffcf81`f14a8df0 fffff801`00000001 ffffe001`2df2b001 : NDIS!ndisMSendCompleteNetBufferListsInternal+0x140
fffff803`3dd5f7d0 fffff801`46ba01ec : ffffe001`2dd361a0 ffffcf81`f14a8df0 00000000`00000002 00000000`00000000 : NDIS!NdisMSendNetBufferListsComplete+0x4f1
fffff803`3dd5f940 fffff801`46b95197 : 00000000`00000000 ffffcf81`ef9b4ff0 00000000`00000000 ffff0001`00000000 : e1i63x64!TRANSMIT::TxProcessInterrupts+0x37c
fffff803`3dd5f9f0 fffff801`46b9557e : ffffcf81`ef9b4ff0 ffffe001`00000000 ffff0001`00000000 ffff0001`00000000 : e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x207
fffff803`3dd5fa60 fffff801`46b94b78 : fffff803`3dd5fb79 ffff0001`00000000 00000000`00000000 ffffe001`2dd361a0 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e
fffff803`3dd5fac0 fffff801`470f7e02 : ffffe001`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28
fffff803`3dd5fb00 fffff803`3c73fcd0 : 00000000`0000ffff 00002a35`000030bd fffff803`00000002 00000000`000000f0 : NDIS!ndisInterruptDpc+0x1a3
fffff803`3dd5fbe0 fffff803`3c73ef87 : ffffe001`2f56a080 00000000`00000000 fffff803`3c978180 fffff803`3c978180 : nt!KiExecuteAllDpcs+0x1b0
fffff803`3dd5fd30 fffff803`3c7c8ad5 : 00000000`00000000 fffff803`3c978180 ffffd000`8e4bf780 fffff801`46d9ad48 : nt!KiRetireDpcList+0xd7
fffff803`3dd5ffb0 fffff803`3c7c88d9 : ffffd000`21744db8 00000000`00000001 00000000`00000000 ffffe001`2b49f3c0 : nt!KxRetireDpcList+0x5
ffffd000`21744dc0 fffff803`3c7cab45 : ffffe001`2f4a0d10 fffff803`3c7c6fb3 ffffe001`2f4a0e28 ffffe001`2f100080 : nt!KiDispatchInterruptContinue
ffffd000`21744df0 fffff803`3c7c6fb3 : ffffe001`2f4a0e28 ffffe001`2f100080 00000000`00000000 ffffe001`2f5e24f8 : nt!KiDpcInterruptBypass+0x25
ffffd000`21744e00 fffff801`46cfc779 : ffffd000`21744fa8 00000000`00000000 ffffe001`2f4a6ad0 00000000`00000000 : nt!KiInterruptDispatch+0x173
ffffd000`21744f90 fffff801`46d0200d : 00000000`00000000 ffffe001`00000000 00000000`00000001 00000000`00000000 : Wdf01000!FxRequest::CompleteInternal+0xb9
ffffd000`21745050 fffff801`489e280e : ffffe001`2f4a6ad0 ffffe001`2f4a6ad0 ffffe001`2f4a5780 ffffd000`21fc3d37 : Wdf01000!imp_WdfRequestCompleteWithInformation+0x9d
ffffd000`217450b0 fffff801`489e5b18 : 00001ffe`d0b59528 ffffd000`00000000 00000000`00000077 ffffcf81`f1368ff7 : WinDivert64+0x180e
ffffd000`217450e0 fffff801`489e60fd : ffffe001`2f4a6ed0 00001ffe`d0b59528 ffffd000`21fc2c90 ffffd000`217452d8 : WinDivert64+0x4b18
ffffd000`21745230 fffff801`46cfd9ce : 00001ffe`d0b5a878 00001ffe`d0b59528 00000000`00000077 00000000`0000000c : WinDivert64+0x50fd
ffffd000`21745330 fffff801`46cfd123 : fffff801`46d9b700 ffffe001`2f100000 ffffe001`2f4a0d00 00000000`00000000 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x1be
ffffd000`21745400 fffff801`46d042f2 : ffffe001`2f4a5780 ffffe001`2f4a6a00 00000000`00000000 fffff801`46d6bb01 : Wdf01000!FxIoQueue::DispatchEvents+0x363
ffffd000`217454c0 fffff801`46d04658 : ffffd000`21745601 ffffe001`2f4a4e70 00000000`00000000 fffff801`46d20021 : Wdf01000!FxPkgIo::EnqueueRequest+0x252
ffffd000`21745590 fffff801`489e2655 : ffffe001`2f4a6ae8 ffffe001`2f4a36a0 00000000`00000000 ffffe001`2f4a6ad0 : Wdf01000!imp_WdfDeviceEnqueueRequest+0xc9
ffffd000`217455f0 fffff801`489e5f0d : 00001ffe`d0b5c958 00001ffe`d0b59528 00000000`00000018 ffffd000`217456c8 : WinDivert64+0x1655
ffffd000`21745620 fffff801`46d019bd : 00001ffe`d0b5c958 00001ffe`d0b59528 00000000`00000002 fffff803`3c8afcd0 : WinDivert64+0x4f0d
ffffd000`217456f0 fffff801`46b15832 : 00000000`00020000 ffffd000`21745801 ffffe001`2f4a3601 fffff801`46d01200 : Wdf01000!FxDevice::DispatchWithLock+0x77d
ffffd000`217457d0 fffff803`3ccee911 : ffffcf81`f1268ea0 00000000`00000002 ffffe001`2f5e2550 00000000`00000001 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xfe
ffffd000`21745830 fffff803`3ca5fc0f : 00000000`00000000 ffffd000`21745b80 ffffcf81`f1268ea0 ffffe001`2f117690 : nt!IovCallDriver+0x3cd
ffffd000`21745880 fffff803`3ca5f1ae : ffffe001`2f100080 0000000c`001f0003 00000000`00000000 00000000`0063fb20 : nt!IopXxxControlFile+0xa4f
ffffd000`21745a20 fffff803`3c7d11b3 : fffff6fb`7dbed7f8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
ffffd000`21745a90 00007ffa`6edc0cba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0063f998 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`6edc0cba

3.2

KMODE_EXCEPTION_NOT_HANDLED
EXCEPTION_CODE: (NTSTATUS) 0xc0000005
PROCESS_NAME:  svchost.exe

STACK_TEXT:  
fffff802`dcd5e3c8 fffff802`db7eac4e : 00000000`0000001e ffffffff`c0000005 fffff801`f0cc86dd 00000000`00000000 : nt!KeBugCheckEx
fffff802`dcd5e3d0 fffff802`db75feed : fffff802`dcd5eb40 00000000`00000000 fffff802`dcd5f338 fffff802`dcd5e540 : nt!KiFatalExceptionHandler+0x22
fffff802`dcd5e410 fffff802`db6e2125 : 00000000`00000001 fffff802`db608000 fffff802`dcd5f301 fffff801`00000000 : nt!RtlpExecuteHandlerForException+0xd
fffff802`dcd5e440 fffff802`db6e64de : fffff802`dcd5f338 fffff802`dcd5f040 fffff802`dcd5f338 00000000`00000000 : nt!RtlDispatchException+0x1a5
fffff802`dcd5eb10 fffff802`db7645c2 : fffff6fb`7dbc0010 fffff6fb`7dbede00 fffff802`db8cec60 fffff6e7`c0dd3490 : nt!KiDispatchException+0x646
fffff802`dcd5f200 fffff802`db762afe : ffff58b7`8531bc12 00000000`00010000 00000000`00000000 ffffe000`80828148 : nt!KiExceptionDispatch+0xc2
fffff802`dcd5f3e0 fffff801`f0cc86dd : ffffe000`84448c90 ffffcf81`ba684df0 00000000`00000000 ffffcf81`00000000 : nt!KiGeneralProtectionFault+0xfe
fffff802`dcd5f570 fffff801`f02018c1 : ffffcf81`ba684df0 00000000`00000001 fffff801`f021a7b0 00000000`00000000 : fwpkclnt!FwppInjectComplete+0x79
fffff802`dcd5f5b0 fffff801`f0201402 : 00000000`00000000 ffffcf81`ba684df0 fffff802`dcd5f750 fffff801`f1002600 : NETIO!NetioDereferenceNetBufferList+0xc1
fffff802`dcd5f630 fffff801`f0aa13e7 : ffffcf81`ba692df0 fffff801`f060a201 00000000`00000000 00000000`00000000 : NETIO!NetioDereferenceNetBufferListChain+0x2e2
fffff802`dcd5f6d0 fffff801`f02f1660 : 00000000`00000001 fffff802`dcd5f769 ffffe000`831081a0 fffff801`f06038e7 : tcpip!FlSendNetBufferListChainComplete+0x57
fffff802`dcd5f700 fffff801`f02f0ed1 : ffffe000`831081a0 ffffcf81`ba692df0 fffff801`00000001 ffffe000`837d7101 : NDIS!ndisMSendCompleteNetBufferListsInternal+0x140
fffff802`dcd5f7d0 fffff801`f165c1ec : ffffe000`831081a0 ffffcf81`ba692df0 00000000`00000002 00000000`00000000 : NDIS!NdisMSendNetBufferListsComplete+0x4f1
fffff802`dcd5f940 fffff801`f1651197 : 00000000`00000000 ffffcf81`b89c6ff0 00000000`00000000 ffff0001`00000000 : e1i63x64!TRANSMIT::TxProcessInterrupts+0x37c
fffff802`dcd5f9f0 fffff801`f165157e : ffffcf81`b89c6ff0 ffffe000`00000000 ffff0001`00000000 ffff0001`00000000 : e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x207
fffff802`dcd5fa60 fffff801`f1650b78 : fffff802`dcd5fb79 ffff0001`00000000 00000000`00000000 ffffe000`831081a0 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e
fffff802`dcd5fac0 fffff801`f02ece02 : 00000000`00000000 fffff802`db608000 fffff802`dcd5fa80 fffff801`f0641114 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28
fffff802`dcd5fb00 fffff802`db6d2cd0 : 00000000`00000000 ffffe000`84978ce8 00000000`00000000 fffff801`f0623109 : NDIS!ndisInterruptDpc+0x1a3
fffff802`dcd5fbe0 fffff802`db6d1f87 : 00000000`00000000 fffff802`00000001 fffff802`db90b180 fffff802`00000002 : nt!KiExecuteAllDpcs+0x1b0
fffff802`dcd5fd30 fffff802`db75bad5 : 00000000`00000000 fffff802`db90b180 00000000`00000000 ffffe000`817fe880 : nt!KiRetireDpcList+0xd7
fffff802`dcd5ffb0 fffff802`db75b8d9 : 00000000`00000000 fffff802`db8ba300 00000000`00000001 00000000`0000000c : nt!KxRetireDpcList+0x5
ffffd000`213d54e0 fffff802`db75d9fa : fffffa80`03c02800 00000000`00000000 ffffd000`cc167180 00000000`00000000 : nt!KiDispatchInterruptContinue
ffffd000`213d5510 fffff802`db677043 : 00000000`0000000d fffff802`db6e1d00 ffffe000`00000001 fffff802`00000000 : nt!KiDpcInterrupt+0xca
ffffd000`213d56a0 fffff801`f134dfa0 : ffffcf81`b87a2fb0 ffffe000`852c7b70 ffffe000`0000000c 00000000`00000000 : nt!ExQueueWorkItem+0x3e3
ffffd000`213d5740 fffff801`f137ae48 : ffffcf81`ba658dc0 00000000`00000000 ffffcf81`ba658dc0 fffff802`dbc9762a : afd!AfdQueueWorkItem+0x88
ffffd000`213d5770 fffff801`f138f6bb : ffffe000`81eb62a0 fffff802`dba47108 00000000`00000002 00000000`00000000 : afd!AfdClose+0xe4
ffffd000`213d5810 fffff802`dbc81911 : ffffcf81`ba658dc0 00000000`00000002 00000000`00000001 fffff802`db65ed29 : afd!AfdDispatch+0x9b
ffffd000`213d5870 fffff802`dba47108 : ffffe000`8529aad0 00000000`00000000 ffffcf81`ba658dc0 ffffe000`8490a220 : nt!IovCallDriver+0x3cd
ffffd000`213d58c0 fffff802`db9d0dd0 : 00000000`00000000 ffffe000`8529aad0 ffffe000`80974c60 ffffe000`8529aaa0 : nt!IopDeleteFile+0x128
ffffd000`213d5940 fffff802`db661c5f : 00000000`00000000 ffffd000`213d5a99 ffffe000`8529aad0 ffffe000`8529aaa0 : nt!ObpRemoveObjectRoutine+0x64
ffffd000`213d59a0 fffff802`dba463e5 : ffffe000`80974c60 00000000`00000000 ffffd000`213d5a99 00000000`00000000 : nt!ObfDereferenceObjectWithTag+0x8f
ffffd000`213d59e0 fffff802`db7641b3 : ffffe000`8403e880 00000000`00000000 00000066`a523a9a0 00000066`a557da60 : nt!NtClose+0x205
ffffd000`213d5b00 00007ffb`d9ca0d3a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000066`a52bf628 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`d9ca0d3a

3.3

KMODE_EXCEPTION_NOT_HANDLED
EXCEPTION_CODE: (NTSTATUS) 0xc0000005
PROCESS_NAME:  systray.exe
STACK_TEXT:  
fffff802`55d5e3c8 fffff802`547f9c4e : 00000000`0000001e ffffffff`c0000005 fffff801`e88c96dd 00000000`00000000 : nt!KeBugCheckEx
fffff802`55d5e3d0 fffff802`5476eeed : fffff802`55d5eb40 00000000`00000000 fffff802`55d5f338 fffff802`55d5e540 : nt!KiFatalExceptionHandler+0x22
fffff802`55d5e410 fffff802`546f1125 : 00000000`00000001 fffff802`54617000 fffff802`55d5f301 ffffe001`00000000 : nt!RtlpExecuteHandlerForException+0xd
fffff802`55d5e440 fffff802`546f54de : fffff802`55d5f338 fffff802`55d5f040 fffff802`55d5f338 00000000`00000000 : nt!RtlDispatchException+0x1a5
fffff802`55d5eb10 fffff802`547735c2 : fffff6fb`7dbc0028 fffff6fb`7dbede00 fffff802`548ddc60 fffff6e7`c0a7b270 : nt!KiDispatchException+0x646
fffff802`55d5f200 fffff802`54771afe : ffff54a9`5b7a1dfc 00000000`00010000 00000000`00000000 ffffe001`58625be0 : nt!KiExceptionDispatch+0xc2
fffff802`55d5f3e0 fffff801`e88c96dd : ffffe001`586f2720 ffffcf81`4f7e8df0 00000000`00000000 00000000`00000000 : nt!KiGeneralProtectionFault+0xfe
fffff802`55d5f570 fffff801`e7c018c1 : ffffcf81`4f7e8df0 00000000`00000001 fffff801`e7c1a7b0 00000000`00000000 : fwpkclnt!FwppInjectComplete+0x79
fffff802`55d5f5b0 fffff801`e7c01402 : 00000000`00000000 ffffcf81`4f7e8df0 fffff802`55d5f750 fffff801`e85a1600 : NETIO!NetioDereferenceNetBufferList+0xc1
fffff802`55d5f630 fffff801`e86a23e7 : ffffcf81`4f64edf0 fffff801`e817e201 00000000`00000000 00000000`00000000 : NETIO!NetioDereferenceNetBufferListChain+0x2e2
fffff802`55d5f6d0 fffff801`e7cde660 : 00000000`00000001 fffff802`55d5f769 ffffe001`5af321a0 fffff801`e81778e7 : tcpip!FlSendNetBufferListChainComplete+0x57
fffff802`55d5f700 fffff801`e7cdded1 : ffffe001`5af321a0 ffffcf81`4f64edf0 fffff801`00000001 ffffe001`5bc36101 : NDIS!ndisMSendCompleteNetBufferListsInternal+0x140
fffff802`55d5f7d0 fffff801`e8f161ec : ffffe001`5af321a0 ffffcf81`4f64edf0 00000000`00000002 00000000`00000000 : NDIS!NdisMSendNetBufferListsComplete+0x4f1
fffff802`55d5f940 fffff801`e8f0b197 : 00000000`00000000 ffffcf81`4d9b0ff0 00000000`00000000 ffff0001`00000000 : e1i63x64!TRANSMIT::TxProcessInterrupts+0x37c
fffff802`55d5f9f0 fffff801`e8f0b57e : ffffcf81`4d9b0ff0 ffffe001`00000000 ffff0001`00000000 ffff0001`00000000 : e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x207
fffff802`55d5fa60 fffff801`e8f0ab78 : fffff802`55d5fb79 ffff0001`00000000 00000000`00000000 ffffe001`5af321a0 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e
fffff802`55d5fac0 fffff801`e7cd9e02 : ffffe001`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28
fffff802`55d5fb00 fffff802`546e1cd0 : 00000000`00000000 000014d0`00001b2f ffffe001`00000002 00000000`000000f0 : NDIS!ndisInterruptDpc+0x1a3
fffff802`55d5fbe0 fffff802`546e0f87 : ffffe001`58658880 fffff802`55d5fe30 fffff802`5491a180 fffff802`5491a180 : nt!KiExecuteAllDpcs+0x1b0
fffff802`55d5fd30 fffff802`5476aad5 : 00000000`00000000 fffff802`5491a180 ffffd000`be6bfa00 ffffcf81`4f7d0fd0 : nt!KiRetireDpcList+0xd7
fffff802`55d5ffb0 fffff802`5476a8d9 : 00000000`00000000 00000000`02a8f020 ffffcf81`4f77cfb8 00000000`f002010f : nt!KxRetireDpcList+0x5
ffffd000`21ae0560 fffff802`5476cb45 : ffffd000`21ae0620 fffff802`54768fb3 00000000`00000001 00000000`00000000 : nt!KiDispatchInterruptContinue
ffffd000`21ae0590 fffff802`54768fb3 : 00000000`00000001 00000000`00000000 ffffd000`21ae0700 ffff76d5`b600425d : nt!KiDpcInterruptBypass+0x25
ffffd000`21ae05a0 fffff801`e81cae0f : fffff801`e8186cdf ffffd000`21ae0790 00000000`00000000 ffffcf81`4f7d0fd0 : nt!KiInterruptDispatch+0x173
ffffd000`21ae0738 fffff801`e8186cdf : ffffd000`21ae0790 00000000`00000000 ffffcf81`4f7d0fd0 fffff802`54a01c0f : ipeaklwf+0x56e0f
ffffd000`21ae0740 fffff801`e8176890 : ffffe001`5bdd84d8 fffff802`54a01c00 ffffcf81`00043ee4 fffff801`e81a933c : ipeaklwf+0x12cdf
ffffd000`21ae07d0 fffff801`e7d67bec : ffffcf81`4f77cea0 ffffe001`5aef7060 ffffe001`5aef7060 ffffe001`5bdd8430 : ipeaklwf+0x2890
ffffd000`21ae0800 fffff802`54c90911 : ffffcf81`4f77cea0 00000000`00000002 ffffe001`58771e90 fffff802`548baa01 : NDIS!ndisDummyIrpHandler+0x88
ffffd000`21ae0830 fffff802`54a01c0f : 00000000`00000000 ffffd000`21ae0b80 ffffcf81`4f77cea0 ffffe001`5bdd8430 : nt!IovCallDriver+0x3cd
ffffd000`21ae0880 fffff802`54a011ae : ffffd000`21ae0a38 00000000`77391b10 00000000`00000001 00000000`00faf6e4 : nt!IopXxxControlFile+0xa4f
ffffd000`21ae0a20 fffff802`547731b3 : ffffe001`746c6644 ffffd000`21ae0b08 00000000`00000000 00000000`00000001 : nt!NtDeviceIoControlFile+0x56
ffffd000`21ae0a90 00000000`77392352 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00c5ec18 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77392352

3.4

KMODE_EXCEPTION_NOT_HANDLED
EXCEPTION_CODE: (NTSTATUS) 0xc0000005
PROCESS_NAME:  webfilter.exe

STACK_TEXT:  
ffffd000`209bd5d8 fffff802`69a55c6f : 00000000`0000001e ffffffff`c0000005 fffff802`699ca629 ffffd000`209be5f8 : nt!KeBugCheckEx
ffffd000`209bd5e0 fffff802`699d3f66 : 00000000`00000001 ffffd000`209be130 ffffe000`5f630057 ffffe000`2a7a0618 : nt!KiFatalFilter+0x1f
ffffd000`209bd620 fffff802`699b2a96 : 00000000`00000000 0000ff02`00000000 ffffe000`2a856360 ffffd000`00000000 : nt! ?? ::FNODOBFM::`string'+0xb6
ffffd000`209bd660 fffff802`699caeed : 00000000`00000000 ffffd000`209bd800 ffffd000`209be5f8 ffffd000`209bd800 : nt!_C_specific_handler+0x86
ffffd000`209bd6d0 fffff802`6994d125 : 00000000`00000001 fffff802`69873000 ffffd000`209be500 00000000`00000000 : nt!RtlpExecuteHandlerForException+0xd
ffffd000`209bd700 fffff802`699514de : ffffd000`209be5f8 ffffd000`209be300 ffffd000`209be5f8 ffffe000`26cc6f80 : nt!RtlDispatchException+0x1a5
ffffd000`209bddd0 fffff802`699cf5c2 : 00000000`00000000 fffff802`6994ce6c ffffd000`209ba000 ffffd000`209c0000 : nt!KiDispatchException+0x646
ffffd000`209be4c0 fffff802`699cdafe : 00000000`00000051 ffffd000`209be740 ffffcf81`ff9d2fc0 ffffd000`209be740 : nt!KiExceptionDispatch+0xc2
ffffd000`209be6a0 fffff802`699ca629 : 00000000`00000004 fffff800`e4b5202e 00000000`00000002 00000000`00000000 : nt!KiGeneralProtectionFault+0xfe
ffffd000`209be830 fffff800`e4b5202e : 00000000`00000002 00000000`00000000 00000000`00000010 fffff800`e5600180 : nt!ExpInterlockedPopEntrySListFault
ffffd000`209be840 fffff800`e4a2a56f : ffffe000`26d46b02 ffffcf81`ff946f50 ffffd000`209be9c0 00000000`00000000 : NETIO!NetioAllocateMdl+0xae
ffffd000`209be890 fffff800`e5485a59 : ffffcf81`ff946f50 ffffe000`00000024 00000000`00000000 ffffe000`26d46a58 : NDIS!NdisRetreatNetBufferDataStart+0x6f
ffffd000`209be8c0 fffff800`e548391e : 00000000`e0000001 ffffe000`26d46b28 00000000`e0000001 ffffd000`209bec90 : tcpip!IppPacketizeDatagrams+0x9ae
ffffd000`209bea60 fffff800`e54c0a6c : fffff800`e5600180 00000000`00000000 fffff800`e5600180 ffffe000`2918d580 : tcpip!IppSendDatagramsCommon+0x49e
ffffd000`209bec40 fffff800`e56af2e4 : 00000000`00000010 ffffe000`2a7a0910 00000000`00000030 00000000`00000801 : tcpip!IppInspectInjectRawSend+0x1ac
ffffd000`209bee30 fffff802`698b1873 : ffffd000`209bef38 ffffcf81`ff55adf0 00000000`00000000 fffff800`e56af7d5 : fwpkclnt!FwppInjectionStackCallout+0xc8
ffffd000`209beec0 fffff800`e56af16f : fffff800`e56af21c ffffd000`209bf030 00000000`00000010 ffffcf81`ff55adf0 : nt!KeExpandKernelStackAndCalloutInternal+0xf3
ffffd000`209befb0 fffff800`e65e4a7c : ffffe000`29565af0 ffffd000`220a9a35 ffffcf81`ff790f00 ffffcf81`ff790ff5 : fwpkclnt!FwpsInjectNetworkSendAsync0+0x27b
ffffd000`209bf0e0 fffff800`e65e50fd : ffffe000`29918b40 00001fff`d6a9a508 ffffd000`220a89a0 ffffd000`209bf2d8 : WinDivert64+0x4a7c
ffffd000`209bf230 fffff800`e46dd9ce : 00001fff`d66eaae8 00001fff`d6a9a508 00000000`00000065 00000000`0000000c : WinDivert64+0x50fd
ffffd000`209bf330 fffff800`e46dd123 : fffff800`e477b700 ffffe000`26647800 ffffe000`296a1900 00000000`00000000 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x1be
ffffd000`209bf400 fffff800`e46e42f2 : ffffe000`29915510 ffffe000`29565a00 00000000`00000000 fffff800`e474bb01 : Wdf01000!FxIoQueue::DispatchEvents+0x363
ffffd000`209bf4c0 fffff800`e46e4658 : ffffd000`209bf601 ffffe000`29914c50 00000000`00000000 fffff800`e4700021 : Wdf01000!FxPkgIo::EnqueueRequest+0x252
ffffd000`209bf590 fffff800`e65e1655 : ffffe000`29565b08 ffffe000`299134b0 00000000`00000000 ffffe000`29565af0 : Wdf01000!imp_WdfDeviceEnqueueRequest+0xc9
ffffd000`209bf5f0 fffff800`e65e4f0d : 00001fff`d66ecb48 00001fff`d6a9a508 00000000`00000018 ffffd000`209bf6c8 : WinDivert64+0x1655
ffffd000`209bf620 fffff800`e46e19bd : 00001fff`d66ecb48 00001fff`d6a9a508 00000000`00000002 fffff802`69aadcd0 : WinDivert64+0x4f0d
ffffd000`209bf6f0 fffff800`e4673832 : 00000000`00020000 ffffd000`209bf801 ffffe000`29913401 fffff800`e46e1200 : Wdf01000!FxDevice::DispatchWithLock+0x77d
ffffd000`209bf7d0 fffff802`69eec911 : ffffcf81`ff808ea0 00000000`00000002 ffffe000`2a84c5b0 00000000`00000001 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xfe
ffffd000`209bf830 fffff802`69c5dc0f : 00000000`00000000 ffffd000`209bfb80 ffffcf81`ff808ea0 ffffe000`299dfad0 : nt!IovCallDriver+0x3cd
ffffd000`209bf880 fffff802`69c5d1ae : 00000000`6b233d25 0000000c`001f0003 00000000`00000000 00000000`0091f830 : nt!IopXxxControlFile+0xa4f
ffffd000`209bfa20 fffff802`699cf1b3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
ffffd000`209bfa90 00007ffe`be240cba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0091f6a8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`be240cba

3.5

DRIVER_IRQL_NOT_LESS_OR_EQUAL
PROCESS_NAME:  System

STACK_TEXT:  
ffffd001`95997298 fffff803`069eb4e9 : 00000000`0000000a ffffb71e`c6612fe8 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffd001`959972a0 fffff803`069e9d3a : 00000000`00000000 ffffcf81`c68a0f50 00000000`00000000 ffffe001`e3426f58 : nt!KiBugCheckDispatch+0x69
ffffd001`959973e0 fffff801`320756dd : ffffe001`e69e9850 ffffcf81`c68a0df0 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x23a
ffffd001`95997570 fffff801`315758c1 : ffffcf81`c68a0df0 00000000`00000001 fffff801`3158e7b0 00000000`00000000 : fwpkclnt!FwppInjectComplete+0x79
ffffd001`959975b0 fffff801`31575402 : 00000000`00000000 ffffcf81`c68a0df0 ffffd001`95997750 fffff801`31a02600 : NETIO!NetioDereferenceNetBufferList+0xc1
ffffd001`95997630 fffff801`31e4e3e7 : ffffcf81`c68f8df0 fffff801`3180a201 00000000`00000000 00000000`00000000 : NETIO!NetioDereferenceNetBufferListChain+0x2e2
ffffd001`959976d0 fffff801`31465660 : 00000000`00000001 ffffd001`95997769 ffffe001`e5cf41a0 fffff801`318038e7 : tcpip!FlSendNetBufferListChainComplete+0x57
ffffd001`95997700 fffff801`31464ed1 : ffffe001`e5cf41a0 ffffcf81`c68f8df0 fffff801`00000001 00000000`00000201 : NDIS!ndisMSendCompleteNetBufferListsInternal+0x140
ffffd001`959977d0 fffff801`327531ec : ffffe001`e5cf41a0 ffffcf81`c68f8df0 00000000`00000002 00000000`00000000 : NDIS!NdisMSendNetBufferListsComplete+0x4f1
ffffd001`95997940 fffff801`32748197 : 00000000`00000001 00000000`00000018 00000000`00000000 ffff0001`00000001 : e1i63x64!TRANSMIT::TxProcessInterrupts+0x37c
ffffd001`959979f0 fffff801`3274857e : ffffcf81`c4b82ff0 ffffe001`00000000 ffff0001`00000001 ffff0001`00000001 : e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x207
ffffd001`95997a60 fffff801`32747b78 : ffffd001`95997b79 ffff0001`00000001 00000000`00000000 ffffe001`e5cf41a0 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e
ffffd001`95997ac0 fffff801`31460e02 : ffffe001`e3557720 fffff801`32418644 00000000`00000000 ffffe001`e3469100 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28
ffffd001`95997b00 fffff803`06959cd0 : 00000000`00000000 00001b45`0000216d ffffe001`00000002 00000000`000000f0 : NDIS!ndisInterruptDpc+0x1a3
ffffd001`95997be0 fffff803`06958f87 : ffffd001`95997e70 00000000`00000001 00000000`00000000 ffffd001`95967180 : nt!KiExecuteAllDpcs+0x1b0
ffffd001`95997d30 fffff803`069e2ad5 : 00000000`00000000 ffffd001`95967180 00000000`00000000 ffffe001`e5d11000 : nt!KiRetireDpcList+0xd7
ffffd001`95997fb0 fffff803`069e28d9 : ffffe001`e6bb12f0 ffffe001`e5cf4050 ffffe001`e7f90a10 00000000`00000ee0 : nt!KxRetireDpcList+0x5
ffffd001`92bc66a0 fffff803`069e49fa : ffffe001`e6bb12f0 00000000`00000301 ffffcf81`c6940cd0 00000000`00000328 : nt!KiDispatchInterruptContinue
ffffd001`92bc66d0 fffff803`0695bcaf : fffff801`3275419c 00000000`00000000 ffffe001`e5d11000 00000000`00000000 : nt!KiDpcInterrupt+0xca
ffffd001`92bc6868 fffff801`3275419c : 00000000`00000000 ffffe001`e5d11000 00000000`00000000 ffffcf81`c5e86c70 : nt!KzLowerIrql+0x7
ffffd001`92bc6870 fffff801`3275132e : ffffe001`e5cf41a0 00000000`00000000 00000000`00000000 00000000`00000000 : e1i63x64!TRANSMIT::TxTransmitNetBufferLists+0x34c
ffffd001`92bc68d0 fffff801`3146b5d2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : e1i63x64!TRANSMIT::MiniportSendNetBufferLists+0x1e
ffffd001`92bc6910 fffff801`3146b860 : 00000000`00000000 00000000`00000000 ffffcf81`c6752df0 fffff801`3148ede7 : NDIS!ndisMSendNBLToMiniport+0xf2
ffffd001`92bc69c0 fffff801`3146498d : ffffe001`e5ea7100 ffffcf81`c6752df0 ffffcf81`c5e86c70 ffffcf81`c5b96d00 : NDIS!ndisInvokeNextSendHandler+0x40
ffffd001`92bc6a50 fffff801`31803009 : ffffcf81`c6752df0 00000000`00000000 fffff801`31802c00 ffffd001`00000000 : NDIS!NdisFSendNetBufferLists+0x2ed
ffffd001`92bc6ae0 fffff801`31802f2b : ffffe001`e5f0af00 00000000`00000000 00000000`00000000 00000000`00000001 : ipeaklwf+0x3009
ffffd001`92bc6b10 fffff801`31802d30 : ffffe001`e5ea7020 ffffe001`e5f0aec0 00000000`00000080 ffffe001`e5efd700 : ipeaklwf+0x2f2b
ffffd001`92bc6b70 fffff803`06990c70 : ffffe001`e5efd700 00000000`00000080 ffffe001`e5efd700 00000000`00000000 : ipeaklwf+0x2d30
ffffd001`92bc6c00 fffff803`069e5fc6 : ffffd001`95967180 ffffe001`e5efd700 ffffe001`e3576040 00000000`00000000 : nt!PspSystemThreadStartup+0x58
ffffd001`92bc6c60 00000000`00000000 : ffffd001`92bc7000 ffffd001`92bc1000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16

Test case 4 was being terminated with the next exceptions.

  • ipeaklwf.sys is LiveQoS NDIS 6 Filter Driver (part of HP Velocity)

4.1

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
ERROR_CODE: (NTSTATUS) 0xc0000005
PROCESS_NAME:  System

STACK_TEXT:  
ffffd000`f4ff6610 fffff801`8628898b : ffffe000`f9c212f8 ffffd000`f4ff6708 ffffe000`fafbd830 00000000`00000000 : nt!ViMapDoubleBuffer+0x394
ffffd000`f4ff66a0 fffff801`38cbce52 : ffffe000`fafbe8d0 ffffe000`faef3050 ffffe000`f9c212c0 ffffe000`f9c212f8 : nt!VfBuildScatterGatherList+0x1b3
ffffd000`f4ff6750 fffff801`39069dc4 : ffffcf80`b66f6df0 fffff801`38cdec0d ffffcf80`b8190f50 00000000`000000b5 : NDIS!NdisMAllocateNetBufferSGList+0x1a2
ffffd000`f4ff6810 fffff801`3906a177 : 00000000`00000000 ffffe000`faf12000 ffffcf80`b8094c70 ffffcf80`b75acc70 : e1i63x64!TRANSMIT::TxTransmitNetBufferList+0x74
ffffd000`f4ff6870 fffff801`3906732e : ffffe000`faef31a0 00000000`00000000 00000000`00000000 00000000`00000000 : e1i63x64!TRANSMIT::TxTransmitNetBufferLists+0x327
ffffd000`f4ff68d0 fffff801`38cc25d2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : e1i63x64!TRANSMIT::MiniportSendNetBufferLists+0x1e
ffffd000`f4ff6910 fffff801`38cc2860 : 00000000`00000000 00000000`00000000 ffffcf80`b80acc70 fffff801`38ce5de7 : NDIS!ndisMSendNBLToMiniport+0xf2
ffffd000`f4ff69c0 fffff801`38cbb98d : ffffe000`fb08f100 ffffcf80`b80acc70 ffffcf80`b75acc70 ffffcf80`b66f6d00 : NDIS!ndisInvokeNextSendHandler+0x40
ffffd000`f4ff6a50 fffff801`39501009 : ffffcf80`b80acc70 00000000`00000000 fffff801`39500c00 ffffd000`00000000 : NDIS!NdisFSendNetBufferLists+0x2ed
ffffd000`f4ff6ae0 fffff801`39500f2b : ffffe000`f9caadc8 00000000`00000000 00000000`00000000 00000000`00000001 : ipeaklwf+0x3009
ffffd000`f4ff6b10 fffff801`39500d30 : ffffe000`fb08f020 ffffe000`f9caad88 00000000`00000080 ffffe000`fb0ff880 : ipeaklwf+0x2f2b
ffffd000`f4ff6b70 fffff801`85d09c70 : ffffe000`fb0ff880 00000000`00000080 ffffe000`fb0ff880 00000000`00000001 : ipeaklwf+0x2d30
ffffd000`f4ff6c00 fffff801`85d5efc6 : ffffd000`f7f67180 ffffe000`fb0ff880 ffffe000`fb0fb040 00000000`00001000 : nt!PspSystemThreadStartup+0x58
ffffd000`f4ff6c60 00000000`00000000 : ffffd000`f4ff7000 ffffd000`f4ff1000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16

4.2

DRIVER_IRQL_NOT_LESS_OR_EQUAL
PROCESS_NAME:  webfilter.exe

STACK_TEXT:  
fffff800`8055f298 fffff800`7ef734e9 : 00000000`0000000a ffffe30b`92600fe8 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff800`8055f2a0 fffff800`7ef71d3a : 00000000`00000000 ffffcf81`9265ef50 00000000`00000000 ffffe000`e7c281b8 : nt!KiBugCheckDispatch+0x69
fffff800`8055f3e0 fffff800`eaca66dd : ffffe000`eb7ece30 ffffcf81`9265edf0 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x23a
fffff800`8055f570 fffff800`ea1428c1 : ffffcf81`9265edf0 00000000`00000001 fffff800`ea15b7b0 00000000`00000000 : fwpkclnt!FwppInjectComplete+0x79
fffff800`8055f5b0 fffff800`ea142402 : 00000000`00000000 ffffcf81`9265edf0 fffff800`8055f750 fffff800`eb002600 : NETIO!NetioDereferenceNetBufferList+0xc1
fffff800`8055f630 fffff800`eaa7f3e7 : ffffcf81`92770df0 fffff800`ea903201 00000000`00000000 00000000`00000000 : NETIO!NetioDereferenceNetBufferListChain+0x2e2
fffff800`8055f6d0 fffff800`ea032660 : 00000000`00000001 fffff800`8055f769 ffffe000`ea4f61a0 fffff800`ea8fc8e7 : tcpip!FlSendNetBufferListChainComplete+0x57
fffff800`8055f700 fffff800`ea031ed1 : ffffe000`ea4f61a0 ffffcf81`92770df0 fffff800`00000001 ffffe000`ea6ec101 : NDIS!ndisMSendCompleteNetBufferListsInternal+0x140
fffff800`8055f7d0 fffff800`eb4731ec : ffffe000`ea4f61a0 ffffcf81`92770df0 00000000`00000002 00000000`00000000 : NDIS!NdisMSendNetBufferListsComplete+0x4f1
fffff800`8055f940 fffff800`eb468197 : 00000000`00000000 ffffcf81`90bb4ff0 00000000`00000000 ffff0001`00000000 : e1i63x64!TRANSMIT::TxProcessInterrupts+0x37c
fffff800`8055f9f0 fffff800`eb46857e : ffffcf81`90bb4ff0 ffffe000`00000000 ffff0001`00000000 ffff0001`00000000 : e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x207
fffff800`8055fa60 fffff800`eb467b78 : fffff800`8055fb79 ffff0001`00000000 00000000`00000000 ffffe000`ea4f61a0 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e
fffff800`8055fac0 fffff800`ea02de02 : ffffe000`00000000 00000000`00000002 fffff800`8055fc80 fffff800`7f0c9200 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28
fffff800`8055fb00 fffff800`7eee1cd0 : 00000000`0000ffff 00000f32`0000152f fffff800`00000002 00000000`000000f0 : NDIS!ndisInterruptDpc+0x1a3
fffff800`8055fbe0 fffff800`7eee0f87 : ffffe000`e7c58880 fffff800`8055fe30 fffff800`7f11a180 fffff800`7f11a180 : nt!KiExecuteAllDpcs+0x1b0
fffff800`8055fd30 fffff800`7ef6aad5 : 00000000`00000000 fffff800`7f11a180 ffffd001`8d6bfa00 ffffd000`212d1900 : nt!KiRetireDpcList+0xd7
fffff800`8055ffb0 fffff800`7ef6a8d9 : 00000202`00000001 ffffd000`212d1918 00000000`00000002 00000000`00000000 : nt!KxRetireDpcList+0x5
ffffd000`212d15a0 fffff800`7ef6cb45 : 00000000`00000000 fffff800`7ef68fb3 00000000`00000000 00000000`00000000 : nt!KiDispatchInterruptContinue
ffffd000`212d15d0 fffff800`7ef68fb3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDpcInterruptBypass+0x25
ffffd000`212d15e0 fffff800`7eebf72c : 00000000`00000000 00000000`00000000 00000000`80000005 00000000`00000000 : nt!KiInterruptDispatch+0x173
ffffd000`212d1770 fffff800`7f0133f5 : ffffcf81`92724000 ffffcf81`92724000 ffffd000`212d18f0 00000000`00000000 : nt!MiFlushTbList+0x22c
ffffd000`212d18b0 fffff800`7f0bbea8 : 00000000`00000160 ffffffff`fffdf080 00000000`00000000 00000000`2b707249 : nt!MmFreeSpecialPool+0x2dd
ffffd000`212d1a00 fffff800`7f49c0c2 : fffff800`7ee4b602 ffffcf81`92724ea0 ffffcf81`92724ea0 ffffe000`ebc66e10 : nt!ExDeferredFreePool+0x638
ffffd000`212d1af0 fffff800`7f490c0c : ffffe000`e92665c8 ffffcf81`92724ea0 ffffd000`212d1e80 00000000`00000000 : nt!VfIoFreeIrp+0x20a
ffffd000`212d1be0 fffff800`7ee4b675 : ffffcf81`92724ea0 ffffe000`ebc66e10 ffffcf81`92724ea0 ffffcf81`92724ea0 : nt!IovFreeIrpPrivate+0x5c
ffffd000`212d1c20 fffff800`7ee4fb91 : 00000000`00000000 00000000`00000001 00000000`00000001 00000000`00000000 : nt!IopCompleteRequest+0x395
ffffd000`212d1d80 fffff800`7f490b6f : ffffcf81`92724e00 ffffcf81`92724e02 ffffd000`212d1f60 fffff800`00000015 : nt!IopfCompleteRequest+0x291
ffffd000`212d1ec0 fffff800`e9d1d8fc : 00000000`00000000 00000000`00000000 ffffe000`ebc66850 ffffe000`ebc66870 : nt!IovCompleteRequest+0x1d7
ffffd000`212d1f90 fffff800`e9d2300d : 00000000`00000000 ffffe000`00000000 00000000`00000001 00000000`00000000 : Wdf01000!FxRequest::CompleteInternal+0x23c
ffffd000`212d2050 fffff800`ebddf80e : ffffe000`ebc66850 ffffe000`ebc66850 ffffe000`ebc61c20 ffffd001`8d3d8e74 : Wdf01000!imp_WdfRequestCompleteWithInformation+0x9d
ffffd000`212d20b0 fffff800`ebde29a8 : 00001fff`143997a8 ffffd001`00000000 00000000`00000074 ffffcf81`925a8ff4 : WinDivert64!WdfRequestCompleteWithInformation+0x2e [c:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfrequest.h @ 1038] 
ffffd000`212d20e0 fffff800`ebde2f8d : ffffe000`ebc66c50 00001fff`143997a8 ffffd001`8d3d7dd0 ffffd000`212d22d8 : WinDivert64!windivert_write+0x898 [d:\repositories\divert\sys\windivert.c @ 1725] 
ffffd000`212d2230 fffff800`e9d1e9ce : 00001fff`1439e3d8 00001fff`143997a8 00000000`00000074 00000000`0000000c : WinDivert64!windivert_ioctl+0x18d [d:\repositories\divert\sys\windivert.c @ 1961] 
ffffd000`212d2330 fffff800`e9d1e123 : fffff800`e9dbc700 ffffe000`eb641000 ffffe000`ebb73e00 00000000`00000000 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x1be
ffffd000`212d2400 fffff800`e9d252f2 : ffffe000`ebc61c20 ffffe000`ebc66800 00000000`00000000 fffff800`e9d8cb01 : Wdf01000!FxIoQueue::DispatchEvents+0x363
ffffd000`212d24c0 fffff800`e9d25658 : ffffd000`212d2601 ffffe000`ebc62c10 00000000`00000000 fffff800`e9d40021 : Wdf01000!FxPkgIo::EnqueueRequest+0x252
ffffd000`212d2590 fffff800`ebddf655 : ffffe000`ebc66868 ffffe000`ebc616a0 00000000`00000000 ffffe000`ebc66850 : Wdf01000!imp_WdfDeviceEnqueueRequest+0xc9
ffffd000`212d25f0 fffff800`ebde2d9d : 00001fff`1439e958 00001fff`143997a8 00000000`00000018 ffffd000`212d26c8 : WinDivert64!WdfDeviceEnqueueRequest+0x25 [c:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfdevice.h @ 3429] 
ffffd000`212d2620 fffff800`e9d229bd : 00001fff`1439e958 00001fff`143997a8 00000000`00000002 fffff800`7f051cd0 : WinDivert64!windivert_caller_context+0x28d [d:\repositories\divert\sys\windivert.c @ 1886] 
ffffd000`212d26f0 fffff800`e9cb4832 : 00000000`00020000 ffffd000`212d2801 ffffe000`ebc61601 fffff800`e9d22200 : Wdf01000!FxDevice::DispatchWithLock+0x77d
ffffd000`212d27d0 fffff800`7f490911 : ffffcf81`92724ea0 00000000`00000002 ffffe000`ebd1da00 00000000`00000001 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xfe
ffffd000`212d2830 fffff800`7f201c0f : 00000000`00000000 ffffd000`212d2b80 ffffcf81`92724ea0 ffffe000`ebd0e150 : nt!IovCallDriver+0x3cd
ffffd000`212d2880 fffff800`7f2011ae : ffffe000`eb641080 0000000c`001f0003 00000000`00000000 00000000`00eafc60 : nt!IopXxxControlFile+0xa4f
ffffd000`212d2a20 fffff800`7ef731b3 : fffff6fb`7dbed7f8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
ffffd000`212d2a90 00007fff`86150cba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00eafad8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`86150cba

4.3

DRIVER_IRQL_NOT_LESS_OR_EQUAL
PROCESS_NAME:  System

STACK_TEXT:  
fffff801`f6957f48 fffff801`f537b4e9 : 00000000`0000000a fffff91b`1a944fe8 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff801`f6957f50 fffff801`f5379d3a : 00000000`00000000 ffffcf81`1a654f50 00000000`00000000 ffffe001`e3427ea8 : nt!KiBugCheckDispatch+0x69
fffff801`f6958090 fffff801`c7b626dd : ffffe001`e71fa120 ffffcf81`1a654df0 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x23a
fffff801`f6958220 fffff801`c6e018c1 : ffffcf81`1a654df0 00000000`00000001 fffff801`c6e1a7b0 00000000`00000000 : fwpkclnt!FwppInjectComplete+0x79
fffff801`f6958260 fffff801`c6e01402 : 00000000`00000000 ffffcf81`1a654df0 fffff801`f6958400 fffff801`c779a600 : NETIO!NetioDereferenceNetBufferList+0xc1
fffff801`f69582e0 fffff801`c793b3e7 : ffffcf81`1a650df0 fffff801`c720a201 00000000`00000000 00000000`00000000 : NETIO!NetioDereferenceNetBufferListChain+0x2e2
fffff801`f6958380 fffff801`c6ebf660 : 00000000`00000001 fffff801`f6958419 ffffe001`e5d331a0 fffff801`c72038e7 : tcpip!FlSendNetBufferListChainComplete+0x57
fffff801`f69583b0 fffff801`c6ebeed1 : ffffe001`e5d331a0 ffffcf81`1a650df0 fffff801`00000001 ffffe001`e6a60001 : NDIS!ndisMSendCompleteNetBufferListsInternal+0x140
fffff801`f6958480 fffff801`c822d1ec : ffffe001`e5d331a0 ffffcf81`1a650df0 00000000`00000002 00000000`00000000 : NDIS!NdisMSendNetBufferListsComplete+0x4f1
fffff801`f69585f0 fffff801`c8222197 : 00000000`00000000 ffffcf81`18a88ff0 00000000`00000000 ffff0001`00000000 : e1i63x64!TRANSMIT::TxProcessInterrupts+0x37c
fffff801`f69586a0 fffff801`c822257e : ffffcf81`18a88ff0 ffffe001`00000000 ffff0001`00000000 ffff0001`00000000 : e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x207
fffff801`f6958710 fffff801`c8221b78 : fffff801`f6958829 ffff0001`00000000 00000000`00000000 ffffe001`e5d331a0 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e
fffff801`f6958770 fffff801`c6ebae02 : 00000000`00000001 fffff801`c723f2dc 00000000`00000000 00000000`00000000 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28
fffff801`f69587b0 fffff801`f52e9cd0 : 00000000`00000000 00000000`000000d0 ffffe001`e5d08010 fffff801`f6958a20 : NDIS!ndisInterruptDpc+0x1a3
fffff801`f6958890 fffff801`f52e8f87 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExecuteAllDpcs+0x1b0
fffff801`f69589e0 fffff801`f53734ea : fffff801`f5522180 fffff801`f5522180 fffff801`f557ba00 ffffe001`e7505080 : nt!KiRetireDpcList+0xd7
fffff801`f6958c60 00000000`00000000 : fffff801`f6959000 fffff801`f6953000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x5a

4.4

KMODE_EXCEPTION_NOT_HANDLED
EXCEPTION_CODE: (NTSTATUS) 0xc0000005
PROCESS_NAME:  webfilter.exe

STACK_TEXT:  
ffffd000`21d655d8 fffff802`309fbc6f : 00000000`0000001e ffffffff`c0000005 fffff802`30970629 ffffd000`21d665f8 : nt!KeBugCheckEx
ffffd000`21d655e0 fffff802`30979f66 : 00000000`00000001 ffffd000`21d66130 ffffe000`c8a26190 fffff802`308f59ed : nt!KiFatalFilter+0x1f
ffffd000`21d65620 fffff802`30958a96 : 0000038b`0000038a 00000000`00000000 fffff800`69c09b20 ffffd000`21d66130 : nt! ?? ::FNODOBFM::`string'+0xb6
ffffd000`21d65660 fffff802`30970eed : 00000000`00000000 ffffd000`21d65800 ffffd000`21d665f8 ffffd000`21d65800 : nt!_C_specific_handler+0x86
ffffd000`21d656d0 fffff802`308f3125 : 00000000`00000001 fffff802`30819000 ffffd000`21d66500 00000000`00000000 : nt!RtlpExecuteHandlerForException+0xd
ffffd000`21d65700 fffff802`308f74de : ffffd000`21d665f8 ffffd000`21d66300 ffffd000`21d665f8 ffffe000`c9e9d9c0 : nt!RtlDispatchException+0x1a5
ffffd000`21d65dd0 fffff802`309755c2 : 00000000`00000000 fffff802`308f2e6c ffffd000`21d62000 ffffd000`21d68000 : nt!KiDispatchException+0x646
ffffd000`21d664c0 fffff802`30973afe : 00000000`000005c8 ffffd000`21d66740 ffffcf81`d76defc0 ffffd000`21d66740 : nt!KiExceptionDispatch+0xc2
ffffd000`21d666a0 fffff802`30970629 : 00000000`00000004 fffff800`6915402e 00000000`00000002 00000000`00000000 : nt!KiGeneralProtectionFault+0xfe
ffffd000`21d66830 fffff800`6915402e : 00000000`00000002 00000000`00000000 00000000`00000010 fffff800`69bf0180 : nt!ExpInterlockedPopEntrySListFault
ffffd000`21d66840 fffff800`6902c56f : ffffe000`c9f0d502 ffffcf81`d7878f50 ffffd000`21d669c0 00000000`00000000 : NETIO!NetioAllocateMdl+0xae
ffffd000`21d66890 fffff800`69a75a59 : ffffcf81`d7878f50 ffffe000`00000024 00000000`00000000 ffffe000`c9f0d498 : NDIS!NdisRetreatNetBufferDataStart+0x6f
ffffd000`21d668c0 fffff800`69a7391e : 00000000`e0000001 ffffe000`c9f0d568 00000000`e0000001 ffffd000`21d66c90 : tcpip!IppPacketizeDatagrams+0x9ae
ffffd000`21d66a60 fffff800`69ab0a6c : fffff800`69bf0180 00000000`00000000 fffff800`69bf0180 ffffe000`cc4a0ab0 : tcpip!IppSendDatagramsCommon+0x49e
ffffd000`21d66c40 fffff800`69c9f2e4 : 00000000`00000010 ffffe000`cdbeb3b0 ffffe000`cdbeb320 00000000`00000090 : tcpip!IppInspectInjectRawSend+0x1ac
ffffd000`21d66e30 fffff802`30857873 : 00000000`00000090 fffff802`30ea2bfd 00000000`00000000 fffff800`69c9f7c0 : fwpkclnt!FwppInjectionStackCallout+0xc8
ffffd000`21d66ec0 fffff800`69c9f16f : fffff800`69c9f21c ffffd000`21d67030 00000000`00000010 ffffcf81`d5960df0 : nt!KeExpandKernelStackAndCalloutInternal+0xf3
ffffd000`21d66fb0 fffff800`6abe890c : ffffe000`cdc111b0 ffffd000`21c7ed7c ffffcf81`d7202f00 ffffcf81`d7202ffc : fwpkclnt!FwpsInjectNetworkSendAsync0+0x27b
ffffd000`21d670e0 fffff800`6abe8f8d : ffffe000`ccad9510 00001fff`323eee48 ffffd000`21c76770 ffffd000`21d672d8 : WinDivert64!windivert_write+0x7fc [d:\repositories\divert\sys\windivert.c @ 1707] 
ffffd000`21d67230 fffff800`68c029ce : 00001fff`33529878 00001fff`323eee48 00000000`000005dc 00000000`0000000c : WinDivert64!windivert_ioctl+0x18d [d:\repositories\divert\sys\windivert.c @ 1961] 
ffffd000`21d67330 fffff800`68c02123 : fffff800`68ca0700 ffffe000`cc5f8800 ffffe000`ccad3600 00000000`00000000 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x1be
ffffd000`21d67400 fffff800`68c092f2 : ffffe000`ccad6780 ffffe000`cdc11100 00000000`00000000 fffff800`68c70b01 : Wdf01000!FxIoQueue::DispatchEvents+0x363
ffffd000`21d674c0 fffff800`68c09658 : ffffd000`21d67601 ffffe000`ccad7680 00000000`00000000 fffff800`68c30021 : Wdf01000!FxPkgIo::EnqueueRequest+0x252
ffffd000`21d67590 fffff800`6abe5655 : ffffe000`cdc111c8 ffffe000`ccad7080 00000000`00000000 ffffe000`cdc111b0 : Wdf01000!imp_WdfDeviceEnqueueRequest+0xc9
ffffd000`21d675f0 fffff800`6abe8d9d : 00001fff`33528f78 00001fff`323eee48 00000000`00000018 ffffd000`21d676c8 : WinDivert64!WdfDeviceEnqueueRequest+0x25 [c:\winddk\7600.16385.1\inc\wdf\kmdf\1.9\wdfdevice.h @ 3429] 
ffffd000`21d67620 fffff800`68c069bd : 00001fff`33528f78 00001fff`323eee48 00000000`00000002 fffff802`30a53cd0 : WinDivert64!windivert_caller_context+0x28d [d:\repositories\divert\sys\windivert.c @ 1886] 
ffffd000`21d676f0 fffff800`68d45832 : 00000000`00020000 ffffd000`21d67801 ffffe000`ccad7001 fffff800`68c06200 : Wdf01000!FxDevice::DispatchWithLock+0x77d
ffffd000`21d677d0 fffff802`30e92911 : ffffcf81`d7376ea0 00000000`00000002 ffffe000`cdc34660 00000000`00000001 : VerifierExt!xdv_IRP_MJ_DEVICE_CONTROL_wrapper+0xfe
ffffd000`21d67830 fffff802`30c03c0f : 00000000`00000000 ffffd000`21d67b80 ffffcf81`d7376ea0 ffffe000`cc25d190 : nt!IovCallDriver+0x3cd
ffffd000`21d67880 fffff802`30c031ae : 00000000`500e5608 0000000c`001f0003 00000000`00000000 00000000`00a8f600 : nt!IopXxxControlFile+0xa4f
ffffd000`21d67a20 fffff802`309751b3 : 00000000`00000000 ffffd000`21d67ad8 00000000`00000000 00000000`00000002 : nt!NtDeviceIoControlFile+0x56
ffffd000`21d67a90 00007fff`25ef0cba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00a8f478 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`25ef0cba

4.5

DRIVER_IRQL_NOT_LESS_OR_EQUAL
PROCESS_NAME:  System

STACK_TEXT:  
fffff800`09f5f298 fffff800`089ea4e9 : 00000000`0000000a fffff91b`a6cb8fe8 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff800`09f5f2a0 fffff800`089e8d3a : 00000000`00000000 ffffcf81`a6caaf50 00000000`00000000 ffffe000`d6228148 : nt!KiBugCheckDispatch+0x69
fffff800`09f5f3e0 fffff801`599496dd : ffffe000`d9caa180 ffffcf81`a6caadf0 00000000`00000000 ffffcf81`00000000 : nt!KiPageFault+0x23a
fffff800`09f5f570 fffff801`58d688c1 : ffffcf81`a6caadf0 00000000`00000001 fffff801`58d817b0 00000000`00000000 : fwpkclnt!FwppInjectComplete+0x79
fffff800`09f5f5b0 fffff801`58d68402 : 00000000`00000000 ffffcf81`a6caadf0 fffff800`09f5f750 fffff801`5924e600 : NETIO!NetioDereferenceNetBufferList+0xc1
fffff800`09f5f630 fffff801`597223e7 : ffffcf81`a6c10c70 fffff801`5900a201 00000000`00000000 ffffcf81`a6964c70 : NETIO!NetioDereferenceNetBufferListChain+0x2e2
fffff800`09f5f6d0 fffff801`58c58660 : 00000000`00000001 fffff800`09f5f769 ffffe000`d8af31a0 fffff801`590038e7 : tcpip!FlSendNetBufferListChainComplete+0x57
fffff800`09f5f700 fffff801`58c57ed1 : ffffe000`d8af31a0 ffffcf81`a6964c70 fffff801`00000001 ffffcf81`a6964e01 : NDIS!ndisMSendCompleteNetBufferListsInternal+0x140
fffff800`09f5f7d0 fffff801`5a11b1ec : ffffe000`d8af31a0 ffffcf81`a6964c70 00000000`0000000a 00000000`00000000 : NDIS!NdisMSendNetBufferListsComplete+0x4f1
fffff800`09f5f940 fffff801`5a110197 : 00000000`00000000 ffffcf81`a4e64ff0 00000000`00000000 ffff0001`00000000 : e1i63x64!TRANSMIT::TxProcessInterrupts+0x37c
fffff800`09f5f9f0 fffff801`5a11057e : ffffcf81`a4e64ff0 ffffe000`00000000 ffff0001`00000000 ffff0001`00000000 : e1i63x64!INTERRUPT::MsgIntDpcTxRxProcessing+0x207
fffff800`09f5fa60 fffff801`5a10fb78 : fffff800`09f5fb79 ffff0001`00000000 00000000`00000000 ffffe000`d8af31a0 : e1i63x64!INTERRUPT::MsgIntMessageInterruptDPC+0x13e
fffff800`09f5fac0 fffff801`58c53e02 : ffffe000`da4e5388 ffffe000`d76431a0 00000000`00000000 00000000`00000001 : e1i63x64!INTERRUPT::MiniportMessageInterruptDPC+0x28
fffff800`09f5fb00 fffff800`08958cd0 : 00000000`00000000 00000000`0000006c fffff800`09f5fe70 ffffe000`d7643118 : NDIS!ndisInterruptDpc+0x1a3
fffff800`09f5fbe0 fffff800`08957f87 : ffffe000`d6258880 fffff800`09f5fe30 fffff800`08b91180 fffff800`08b91180 : nt!KiExecuteAllDpcs+0x1b0
fffff800`09f5fd30 fffff800`089e1ad5 : 00000000`00000000 fffff800`08b91180 00000000`00000000 ffffe000`d8b13000 : nt!KiRetireDpcList+0xd7
fffff800`09f5ffb0 fffff800`089e18d9 : ffffe000`da31e110 ffffe000`d8af3050 ffffe000`da3aae00 00000000`00000ee0 : nt!KxRetireDpcList+0x5
ffffd001`151676a0 fffff800`089e39fa : ffffe000`da31e110 00000000`00000301 ffffcf81`a6d5ccd0 00000000`00000328 : nt!KiDispatchInterruptContinue
ffffd001`151676d0 fffff800`0895acaf : fffff801`5a11c19c 00000000`00000000 ffffe000`d8b13000 00000000`00000000 : nt!KiDpcInterrupt+0xca
ffffd001`15167868 fffff801`5a11c19c : 00000000`00000000 ffffe000`d8b13000 00000000`00000000 ffffcf81`a624cc70 : nt!KzLowerIrql+0x7
ffffd001`15167870 fffff801`5a11932e : ffffe000`d8af31a0 00000000`00000000 00000000`00000000 00000000`00000000 : e1i63x64!TRANSMIT::TxTransmitNetBufferLists+0x34c
ffffd001`151678d0 fffff801`58c5e5d2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : e1i63x64!TRANSMIT::MiniportSendNetBufferLists+0x1e
ffffd001`15167910 fffff801`58c5e860 : 00000000`00000000 00000000`00000000 ffffcf81`a6964c70 fffff801`58c81de7 : NDIS!ndisMSendNBLToMiniport+0xf2
ffffd001`151679c0 fffff801`58c5798d : ffffe000`d8c9bdc0 ffffcf81`a6964c70 ffffcf81`a624cc70 ffffcf81`a5528d00 : NDIS!ndisInvokeNextSendHandler+0x40
ffffd001`15167a50 fffff801`59003009 : ffffcf81`a6964c70 00000000`00000000 fffff801`59002c00 ffffd001`00000000 : NDIS!NdisFSendNetBufferLists+0x2ed
ffffd001`15167ae0 fffff801`59002f2b : ffffe000`d8d97dc8 00000000`00000000 00000000`00000000 00000000`00000001 : ipeaklwf+0x3009
ffffd001`15167b10 fffff801`59002d30 : ffffe000`d8c9bce0 ffffe000`d8d97d88 00000000`00000080 ffffe000`d8d86040 : ipeaklwf+0x2f2b
ffffd001`15167b70 fffff800`0898fc70 : ffffe000`d8d86040 00000000`00000080 ffffe000`d8d86040 00000000`00000001 : ipeaklwf+0x2d30
ffffd001`15167c00 fffff800`089e4fc6 : ffffd001`18367180 ffffe000`d8d86040 ffffe000`d8d19040 00000000`00001000 : nt!PspSystemThreadStartup+0x58
ffffd001`15167c60 00000000`00000000 : ffffd001`15168000 ffffd001`15162000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
@basil00

This comment has been minimized.

Copy link
Owner

@basil00 basil00 commented Apr 27, 2018

Thanks. There are actually a lot of different types of errors. Error 4.4 is interesting since it occurs during a call to windivert_write outbound injection and there are no other drivers (directly) involved. Presumably, this is Windows attempting to add space for the ethernet header using a call to NdisRetreatNetBufferDataStart and NetioAllocateMdl, but this causes a crash?

One possibility is that the state of injected packets is being corrupted somehow. This can happen if another driver is taking a reference of the packet (not "officially" taking ownership of it) and modifying it out-of-band. This would explain why there are different kinds of crashes, since the modification can occur at random places. This can even be a use-after-free, e.g., the original packet is free'ed, then reallocated as a different packet, only then is modified via the old reference causing a random crash.

Otherwise, I cannot think of any other obvious explanation for the observed behavior.

@basil00

This comment has been minimized.

Copy link
Owner

@basil00 basil00 commented Apr 29, 2018

It appears that the ipeaklwf.sys driver is implicated in many recent BSOD reports, based on a Google search. So I think it is probably the culprit. So it is worth checking if the ipeaklwf.sys driver is the most up-to-date version. Do the BSODs stop if HP Velocity is uninstalled?

The ipeaklwf.sys driver appears to be an NDIS lightweight filter driver, so will sit in between WFP and the NIC driver. It's job is to intercept and inspect packets, and either block them (for the antivirus), or pass them to the lower NIC driver. I think somehow NdisFSendNetBufferListsComplete is being called twice on the same packet, maybe once by the filter driver and the other by the NIC driver. But this is just an educated guess.

@Odnoburtsev

This comment has been minimized.

Copy link
Author

@Odnoburtsev Odnoburtsev commented May 2, 2018

Do the BSODs stop if HP Velocity is uninstalled?

BSODs also stop even if HP Velocity is disabled (it has three modes: active, monitoring,disabled).

I'd like somehow to proof this theory, therefore I'm going to ask LiveQoS specialists during the next several days to join to the conversation to help us find the reason of the issue.

@basil00

This comment has been minimized.

Copy link
Owner

@basil00 basil00 commented May 5, 2018

As mentioned above, if you just search for ipeaklwf or HP Velocity you find multiple users with similar BSOD problems. It seems unlikely that all of these people are also WinDivert users. So I think, in the absence of further evidence, I think it is most likely a bug in the HP Velocity driver that is made worse when other drivers are loaded.

If the bug is something like "completing" packets twice, then this would explain the symptoms. Without WinDivert loaded, this unlikely to be fatal since the buffer belongs to the user application, which is most likely blocking until the system call completes anyway. But with WinDivert loaded, this results in a double free error resulting in "random" crashes, which explains the diversity of the BSOD messages. But this is partly based on speculation, so might be something else.

On the other forums, it seems that the consensus is to uninstall or disable HP Velocity. I intend to close this issue unless further information comes to light.

@basil00 basil00 closed this May 5, 2018
@Odnoburtsev

This comment has been minimized.

Copy link
Author

@Odnoburtsev Odnoburtsev commented May 7, 2018

@basil00 , it's not a good practise when issues are closed basing on predictions. it's much better to wait an answer from all participants and then make a decision. Because in this way, the issues will be unresolved and customers will reopen them a lot of times.

FIY, nevertheless, I had a conversation with LiveQoS team and they said they've started analysing the issue.

@fluffy-godzilla

This comment has been minimized.

Copy link

@fluffy-godzilla fluffy-godzilla commented May 7, 2018

Alex from LiveQoS here. We are the ISV responsible for the HP Velocity component distributed by HP.
As @Odnoburtsev said, we are aware of the problem and we have multiple people actively looking into it.
Huge thanks to him for identifying the issue and sending it our way.

The problem seems to be related to the way our NDIS filter driver handles packets generated by the WFP, so any driver using WFP to inject packets will cause the BSOD some time after our filter sent or completed the NBL chain.

Turning HP Velocity off disables packet processing and the packets are then sent as is without triggering the issue. Use that mode for that time being until we provide you guys with a solution.
We'll get back to you as soon as we have a fix.

@Odnoburtsev

This comment has been minimized.

Copy link
Author

@Odnoburtsev Odnoburtsev commented May 7, 2018

@fluffy-godzilla , thank you ! Thus, I interpreter your post as confirmation that there is a problem on your driver's side.

This way, it seems that the ticket really should be closed.

Thank you @basil00 for spent time for analysing of the dumps and accurate assumption.

@basil00

This comment has been minimized.

Copy link
Owner

@basil00 basil00 commented May 7, 2018

@fluffy-godzilla Thanks for the info and good luck with the bug hunt. @Odnoburtsev Thanks for the report and forwarding it to the right people.

In the meantime, any users affected by this issue are advised to:

  • Update to the latest version of HP Velocity when it becomes available.

Otherwise, disable HP Velocity in the meantime.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.