locked
BSOD with UNEXPECTED_KERNEL_MODE_TRAP on Hyper-V RRS feed

  • Question

  • I enabled Hyper-V, configured it to access the Internet, install a guest system Windows XP, the guest system can be connected to the Internet using Dialup PPPoE connection.

    Then, after I closed Hyper-V, I tried to connect to the Internet, and I get this BSOD:

    BSOD UNEXPECTED_KERNEL_MODE_TRAP 0x0000007f fwpkclnt.sys fwpkclnt.sys

    The system rebooted, and at the next attempt to connect to the Internet (I use DialUp PPPoE) I get the same BSOD again. Next time I removed the "Virtual switch" from the Hyper-V, and now it's all right, I can be connected to the Internet.

    So the BSOD can be reproduced at any time.

    I don't have (and never had) any antiviruses and firewalls (except embedded in the Windows 10).

    The system:

    Windows 10 Pro Insider Preview
    Version 1511 (OS Build 14291.1001)
    BuildLab 14291.rs1_release.160314-2254
    BuildLab 14291.1001.amd64fre.rs1_release.160314-2254
    Windows is 64-bits

    Is there a way to avoid the BSOD?

    • Moved by BrianEhMVP Monday, March 28, 2016 3:12 PM
    Monday, March 28, 2016 1:51 PM

All replies

  • Find out what is not right with these fwpkclnt.sys fwpkclnt.sys drivers

    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.

    Monday, March 28, 2016 3:12 PM
  • It seems all right. the driver is digitally signed by Microsoft.
    Monday, March 28, 2016 3:32 PM
  • Then I am guessing it has to do with the PPoE setup / configuration (which is a bit unusual / uncommon) and you are running on Insider Preview.....


    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.

    Monday, March 28, 2016 3:39 PM
  •  
    We do need the actual log files (called a DMP files) as they contain the only record of the sequence of events leading up to the crash, what drivers were loaded, and what was responsible.


    Please follow our instructions for finding and uploading the files we need to help you fix your computer. They can be found here
    If you have any questions about the procedure please ask

    Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)

    Monday, March 28, 2016 4:57 PM
  • Minidumps:

    MSInfo32:



    • Edited by zpostbox Friday, April 8, 2016 10:38 PM
    Monday, March 28, 2016 5:03 PM
  • Hi zpostbox,

    "fwpkclnt.sys " is Microsoft Windows IPsec Kernel-Mode API file. According to the analysis result, the issue is related to  "ndis.sys" which is Network Driver Interface Specification.
    Both of them are related to the network adapter. Please try to update your network adapter driver from the device manager. It is recommended to download the driver from the device manufacturer website. We may try different versions.
    Here is the analysis result for reference:
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 7F, {8, fffff803f6095e70, fffff803f607ffe0, fffff802613413d4}

    *** WARNING: Unable to verify timestamp for rt640x64.sys
    *** ERROR: Module load completed but symbols could not be loaded for rt640x64.sys
    Probably caused by : ndis.sys

    Followup:     MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    UNEXPECTED_KERNEL_MODE_TRAP (7f)
    This means a trap occurred in kernel mode, and it's a trap of a kind
    that the kernel isn't allowed to have/catch (bound trap) or that
    is always instant death (double fault).  The first number in the
    bugcheck params is the number of the trap (8 = double fault, etc)
    Consult an Intel x86 family manual to learn more about what these
    traps are. Here is a *portion* of those codes:
    If kv shows a taskGate
            use .tss on the part before the colon, then kv.
    Else if kv shows a trapframe
            use .trap on that value
    Else
            .trap on the appropriate frame will show where the trap was taken
            (on x86, this will be the ebp that goes with the procedure KiTrap)
    Endif
    kb will then show the corrected stack.
    Arguments:
    Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
    Arg2: fffff803f6095e70
    Arg3: fffff803f607ffe0
    Arg4: fffff802613413d4

    Debugging Details:
    ------------------


    SYSTEM_SKU:  To Be Filled By O.E.M.

    SYSTEM_VERSION:  System Version

    BIOS_DATE:  08/15/2011

    BASEBOARD_PRODUCT:  M5A78L-M LX

    BASEBOARD_VERSION:  Rev X.0x

    BUGCHECK_P1: 8

    BUGCHECK_P2: fffff803f6095e70

    BUGCHECK_P3: fffff803f607ffe0

    BUGCHECK_P4: fffff802613413d4

    BUGCHECK_STR:  0x7f_8

    TRAP_FRAME:  fffff803f6095e70 -- (.trap 0xfffff803f6095e70)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=fffff80262787988 rbx=0000000000000000 rcx=ffffd68cebc87cc0
    rdx=ffffd68cebc87cc0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff802613413d4 rsp=fffff803f607ffe0 rbp=ffffd68cebc87cc0
     r8=0000000000000051  r9=ffffd68ce8afa150 r10=ffffd68cebc87cc0
    r11=0000000000000051 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl zr na po nc
    fwpkclnt!FwppNetBufferListAssociateContext+0x34:
    fffff802`613413d4 ff15464d0300    call    qword ptr [fwpkclnt!_imp_WfpNblInfoGet (fffff802`61376120)] ds:fffff802`61376120=0000000000036eda
    Resetting default scope

    CPU_COUNT: 2

    CPU_MHZ: afd

    CPU_VENDOR:  AuthenticAMD

    CPU_FAMILY: 10

    CPU_MODEL: 6

    CPU_STEPPING: 3

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

    PROCESS_NAME:  System

    CURRENT_IRQL:  2

    ANALYSIS_VERSION: 10.0.10240.9 amd64fre

    STACK_OVERFLOW: Stack Limit: fffff803f6080000. Use (kF) and (!stackusage) to investigate stack usage.

    STACKUSAGE_IMAGE: The module at base 0xFFFFF80260E30000 was blamed for the stack overflow. It is using 7536 bytes of stack.

    STACK_COMMAND:  .trap 0xfffff803f6095e70 ; kb

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: ndis

    IMAGE_NAME:  ndis.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  56e7c286

    IMAGE_VERSION:  10.0.14291.1001

    FAILURE_BUCKET_ID:  0x7f_8_STACK_USAGE_IMAGE_ndis.sys

    BUCKET_ID:  0x7f_8_STACK_USAGE_IMAGE_ndis.sys

    PRIMARY_PROBLEM_CLASS:  0x7f_8_STACK_USAGE_IMAGE_ndis.sys

    ANALYSIS_SOURCE:  KM

    FAILURE_ID_HASH_STRING:  km:0x7f_8_stack_usage_image_ndis.sys

    FAILURE_ID_HASH:  {f08c45b0-abe1-8bf4-55d4-ea373a95d6f3}

    Followup:     MachineOwner
    ---------
    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, March 29, 2016 7:21 AM
  • Hello MeipoXu

    >>Please try to update your network adapter driver from the device manager. It is recommended to download the driver from the device manufacturer website. We may try different versions.

    I tried a very old (2011) version, a modest (2015) and newest version from the Realtek website (2016/3/23), but the result is the same - the BSOD.

    Tuesday, March 29, 2016 8:15 PM
  • Hi zpostbox,

    Have you tried different network model of the hyper-v?

    If it is possible, please don`t use the PPOE to have a test.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, March 31, 2016 2:52 AM
  • >>Have you tried different network model of the hyper-v?
    >>If it is possible, please don`t use the PPOE to have a test.

    Yes, I tried all models, but there is no Internet in Internal and Private configurations (but the icon on the guest OS says the net is OK). With those configurations there are no crashes into the BSOD.

    UPDATE:
    On the Internet (www.cyberforum.ru/bsod/thread1530868.html) I found a similar problem -  Win10 x64 with Hyper-V, Debian 8 as a gueat system, PPPoE and even the same ISP.
    The adapter is the same, Realtek PCIe GBE Family Controller. The Windows 10 crashes into the same BSOD (UNEXPECTED_KERNEL_MODE_TRAP, 0x0000007f).


    • Edited by zpostbox Friday, April 8, 2016 10:35 PM
    Thursday, March 31, 2016 8:45 AM
  • Can you provide the following file via OneDrive which should contain more information on the crash:

    C:\Windows\MEMORY.DMP

    The memory.dmp will be quite large you could zip and compress the memory.dmp file with a third party application such as 7-Zip.

    From the information posted by MeipoXu there appears to be high stack usage and the memory.dmp file may show other drivers using the stack that may be at issue.

    Sunday, April 3, 2016 6:43 PM
  • >>Can you provide the following file via OneDrive which should contain more information on the crash:

    >>C:\Windows\MEMORY.DMP

    The file (140 MB):

    MEMORY_DUMP.zip


    • Edited by zpostbox Wednesday, April 6, 2016 9:06 AM
    Monday, April 4, 2016 11:13 AM
  • Actually the memory.dmp file does not seem to indicate high stack usage but a possible conflict between the  rt640x64.sys (Realtek NIC driver) and the wfplwfs.sys (WFP NDIS 6.30 Lightweight Filter Driver):


    BugCheck 7F, {8, fffff80232295e70, fffff80232286fc0, fffff80b6eed1477}

    *** ERROR: Module load completed but symbols could not be loaded for rt640x64.sys
    Page bedc not present in the dump file. Type ".hh dbgerr004" for details
    Probably caused by : wfplwfs.sys ( wfplwfs!LwfLowerSendNetBufferLists+47

    The process that crashed appeared to be the backgroundTaskHost :

    PROCESS_NAME:  backgroundTask

    Can you provide all the minidump files that are available to see if the error is consistent.

    Can you also try a "clean boot" and see if it makes any difference:

    https://support.microsoft.com/en-us/kb/929135

    After a clean boot reset the computer to start normally.

    Monday, April 4, 2016 4:50 PM
  • >>Can you provide all the minidump files that are available to see if the error is consistent.

    >>Can you also try a "clean boot" and see if it makes any difference

    I did the "clean boot", it still crashes. This is minidumps:

    New_Minidumps.zip

    The last file in the New_Minidumps.zip archive is the crash because of the VirtualBox - I installed VirtualBox-5.0.17-106359-Win.exe, it starts and crashes the PC into the BSOD. It never happened earlier, but in that time I didn't install Hyper-V yet.



    • Edited by zpostbox Friday, April 8, 2016 10:36 PM
    Monday, April 4, 2016 5:35 PM
  • One of the minidump files pointed directly to the rt640x64.sys:

    BugCheck 7F, {8, fffff80079895e70, fffff80079880000, fffff80ea5a6a2b0}

    *** WARNING: Unable to verify timestamp for rt640x64.sys
    *** ERROR: Module load completed but symbols could not be loaded for rt640x64.sys
    Probably caused by : rt640x64.sys ( rt640x64+6a2b0 )

    So the issue may be with the Realtek driver.

    Did you uninstall VirtualBox?

    There appears to be a VirtualBox driver still loading, the VBoxDrv.sys.

    Tuesday, April 5, 2016 1:09 AM
  • >>Did you uninstall VirtualBox?

    >>There appears to be a VirtualBox driver still loading, the VBoxDrv.sys.

    No, that time I didn't uninstall the VirtualBox.

    But now I did it, but the system still crashes into the BSOD, here is the minidump:

    minidump.zip



    • Edited by zpostbox Friday, April 8, 2016 10:37 PM
    Tuesday, April 5, 2016 7:23 AM
  • Not sure this has anything to do with the issue but try installing the Legacy AMD Chipset drivers (15.7.1):

    http://support.amd.com/en-us/download/desktop/legacy?product=legacy4&os=Windows%2010%20-%2064

    The error you experienced after uninstalling VirtualBox is this which is similar to previous errors:

    BugCheck 7F, {8, fffff80329895e70, fffff80329886fc0, fffff801e2191477}

    Probably caused by : wfplwfs.sys ( wfplwfs!LwfLowerSendNetBufferLists+47 )

    The string wfplwfs!LwfLowerSendNetBufferLists is reported in the following link :

    https://social.technet.microsoft.com/Forums/windows/en-US/ce43ef2a-0a73-409c-9628-4da8f8bada46/huge-bugbluescreen-everytime-i-open-web-pages?forum=w8itprogeneral

    In that link the NIC driver appeared to be the issue and that may be the case in your situation.

    It was interesting in that link that temporarily disabling the Windows firewall stopped the blue screen error.

    • Edited by auggyMVP Wednesday, April 6, 2016 4:18 PM
    Wednesday, April 6, 2016 4:16 PM
  • >>Not sure this has anything to do with the issue but try installing the Legacy AMD Chipset drivers (15.7.1):

    >>It was interesting in that link that temporarily disabling the Windows firewall stopped the blue screen error.

    I upgraded Windows to the Build 14316, disabled the Firewall, but the system still crashes, I installed AMD Chipset drivers 15.7.1, but still gets the BSOD, this is the minidumps:

    Minidump_07_04_2016.zip



    • Edited by zpostbox Wednesday, April 13, 2016 12:47 PM
    Wednesday, April 6, 2016 11:05 PM
  • Hi zpostbox,

    According to the dump files, the issue could be related to the "rt640x64.sys", it is related to Realtek PCI/PCIe Adapter.
    Have you tried to update the Realtek PCI/PCIe Adapter from the device manager?

    It is recommended to download the driver from the device manufacturer website. We may try different versions.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, April 8, 2016 2:37 AM
  • >>Have you tried to update the Realtek PCI/PCIe Adapter from the device manager?

    >>It is recommended to download the driver from the device manufacturer website. We may try different versions.

    I have a newest driver downloaded from the Realtek site. I also tried another versions, older, but I still get the BSOD with any driver.

    Friday, April 8, 2016 7:16 AM
  • The latest minidump files shows the rt640x64.sys as the most likely culprit.

    BugCheck 7F, {8, fffff800a6026e70, fffff800a6010fb0, fffff805c9b639a6}

    *** WARNING: Unable to verify timestamp for rt640x64.sys
    *** ERROR: Module load completed but symbols could not be loaded for rt640x64.sys
    Probably caused by : ndis.sys ( ndis!NdisMIndicateReceiveNetBufferLists+735 )

    BUCKET_ID:  0x7f_8_STACK_USAGE_RECURSION_ndis!NdisMIndicateReceiveNetBufferLists

    Stack Usage By Module
    =================================================================================

          Size     Count  Module
    0x00001D60        31  ndis
    0x00001780        15  tcpip
    0x00000E40        16  vmswitch
    0x000007C0         5  raspppoe
    0x00000630        12  ndiswan
    0x000001E0         2  wanarp
    0x00000148         3  nt
    0x00000140         1  wfplwfs
    0x00000130         2  Ndu
    0x000000D0         1  NETIO
    0x00000008         1  rt640x64

    The rt640x64.sys seems to be contributing to a stack overflow that is somewhat similar to the what was reported in the following link, in your case the ndis.sys appears to cause the stack overflow:

    https://social.technet.microsoft.com/Forums/en-US/cf626a2c-3969-4cf3-8523-fbc2ef41c294/vmswitchsys-causing-stack-overflow?forum=win10itprovirt

    You may have to wait for an updated Realtek driver or possible fix in a later Windows 10 build.

    You could also try, if you have not already, uninstall the Realtek driver that is now installed and use what is provided by Windows.

    Saturday, April 9, 2016 9:42 PM
  • >>You could also try, if you have not already, uninstall the Realtek driver that is now installed and use what is provided by Windows

    The driver provided by Windows also gives the BSOD, I tried it already.

    Saturday, April 9, 2016 9:48 PM