locked
Windows 7 BSOD culprit netio.sys RRS feed

  • Question

  • Here is the output from debugging my minidump:

    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 0000000000000008, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
    Arg4: fffff88001511673, address which referenced memory

    Debugging Details:
    ------------------


    WRITE_ADDRESS: GetPointerFromAddress: unable to read from fffff800030fb0e0
     0000000000000008

    CURRENT_IRQL:  2

    FAULTING_IP:
    NETIO!WfppIncrementIndexAndPurgeEntries+93
    fffff880`01511673 48897008        mov     qword ptr [rax+8],rsi

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0xD1

    PROCESS_NAME:  System

    TRAP_FRAME:  fffff8800335b980 -- (.trap 0xfffff8800335b980)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=fffffa80089b4f50
    rdx=0000000000000034 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff88001511673 rsp=fffff8800335bb10 rbp=fffffa80089b4f48
     r8=fffff8800335bb58  r9=0000000000000000 r10=0000000000000000
    r11=000000000000000a r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl nz na po nc
    NETIO!WfppIncrementIndexAndPurgeEntries+0x93:
    fffff880`01511673 48897008        mov     qword ptr [rax+8],rsi ds:00000000`00000008=????????????????
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from fffff80002ec4469 to fffff80002ec4f00

    STACK_TEXT: 
    fffff880`0335b838 fffff800`02ec4469 : 00000000`0000000a 00000000`00000008 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
    fffff880`0335b840 fffff800`02ec30e0 : fffffa80`089b9508 fffff880`0177a180 fffffa80`075444e0 fffffa80`0861aa5c : nt!KiBugCheckDispatch+0x69
    fffff880`0335b980 fffff880`01511673 : fffff880`0177a180 fffff880`0177a910 fffff880`0177a180 fffff880`0177a910 : nt!KiPageFault+0x260
    fffff880`0335bb10 fffff880`01511799 : 00000000`00000004 fffff880`0177a1c0 fffff880`0177a910 fffff880`0177a180 : NETIO!WfppIncrementIndexAndPurgeEntries+0x93
    fffff880`0335bb80 fffff880`0151127f : fffff880`0177a5d0 fffffa80`0553d680 fffff880`0177a1c0 00000000`00000000 : NETIO!WfppLeastRecentlyUsedTimerRoutine+0x19
    fffff880`0335bbd0 fffff880`0151198e : 00000001`000000ff 00000000`00000000 fffff880`0177a840 fffffa80`0553d680 : NETIO!WfpTimerWheelTimeoutHandler+0xff
    fffff880`0335bc50 fffff800`031be527 : fffffa80`06435040 fffffa80`0845ca40 fffffa80`0845ca40 fffffa80`0553d680 : NETIO!WfpSysTimerPassiveCallback+0x2e
    fffff880`0335bc80 fffff800`02ed2161 : fffff800`03068500 fffff800`031be504 fffffa80`0553d680 00000000`00000000 : nt!IopProcessWorkItem+0x23
    fffff880`0335bcb0 fffff800`03168166 : 00330031`00440041 fffffa80`0553d680 00000000`00000080 fffffa80`0551f040 : nt!ExpWorkerThread+0x111
    fffff880`0335bd40 fffff800`02ea3486 : fffff880`0316a180 fffffa80`0553d680 fffff880`031750c0 00370045`0038002d : nt!PspSystemThreadStartup+0x5a
    fffff880`0335bd80 00000000`00000000 : fffff880`0335c000 fffff880`03356000 fffff880`0335b9f0 00000000`00000000 : nt!KxStartSystemThread+0x16


    STACK_COMMAND:  kb

    FOLLOWUP_IP:
    NETIO!WfppIncrementIndexAndPurgeEntries+93
    fffff880`01511673 48897008        mov     qword ptr [rax+8],rsi

    SYMBOL_STACK_INDEX:  3

    SYMBOL_NAME:  NETIO!WfppIncrementIndexAndPurgeEntries+93

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: NETIO

    IMAGE_NAME:  NETIO.SYS

    DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc18a

    FAILURE_BUCKET_ID:  X64_0xD1_NETIO!WfppIncrementIndexAndPurgeEntries+93

    BUCKET_ID:  X64_0xD1_NETIO!WfppIncrementIndexAndPurgeEntries+93

    Followup: MachineOwner
    ---------

    I have gotten this bugcheck 14 times since 28-Sep-09. Any ideas....;-)?

    • Edited by Juan Motock Wednesday, November 11, 2009 2:45 PM grammer
    Wednesday, November 11, 2009 2:45 PM

Answers

  • OK, if you look at the IRQL_NOT_LESS_OR_EQUAL Stop Errors it appears the mfewfpk.sys is accessing and possibly corrupting memory prior to the tcpip.sys and the netio.sys. The mfewfpk.sys is "bolded":

    STACK_TEXT: 
    fffff880`033694c8 fffff800`02e7c469 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
    fffff880`033694d0 fffff800`02e7b0e0 : 00000000`00000010 00000000`00000000 00000000`0000000b fffffa80`0661e0a8 : nt!KiBugCheckDispatch+0x69
    fffff880`03369610 fffff800`02e86d4f : 00000000`00000003 00000000`00000000 00000000`00000003 00000000`00000000 : nt!KiPageFault+0x260
    fffff880`033697a0 fffff880`0142b557 : fffffa80`0661d080 fffff880`03369a80 00000000`00006c07 fffff880`014f13de : nt!KeAcquireInStackQueuedSpinLockAtDpcLevel+0x4f
    fffff880`033697f0 fffff880`016e47bd : fffffa80`0b12f350 00000000`00000017 fffffa80`05aa4010 fffff880`03369a80 : NETIO!WfpExpireEntryLru+0x17
    fffff880`03369840 fffff880`016a2d26 : 00000000`00000004 fffff880`00c00032 fffffa80`0735e3b0 fffff880`00000001 : tcpip!WfpAleCloseRemoteEndpointConnection+0x2d
    fffff880`03369870 fffff880`017245bb : fffffa80`0b12f350 fffffa80`0585593a fffffa80`09bafc20 fffffa80`0b12f350 : tcpip! ?? ::FNODOBFM::`string'+0x22592
    fffff880`033699c0 fffff880`01724942 : 00000000`00000000 fffffa80`05855870 fffffa80`064f4c80 fffffa80`09bafc20 : tcpip!WfpAleHandleSendCompletion+0xeb
    fffff880`03369ae0 fffff880`0172eac2 : fffffa80`0552cb60 fffff880`02fd5180 fffffa80`0552cc20 00000000`00000000 : tcpip!WfpAlepAuthorizeSendCompletion+0x32
    fffff880`03369b30 fffff880`01490af2 : fffff880`03369c10 00120006`000b07d9 fffffa80`064f6990 fffffa80`09bafc20 : tcpip!WfpAleCompleteOperation+0x162
    fffff880`03369bd0 fffff880`011bc9c5 : fffffa80`064f6990 fffff880`011cf840 fffffa80`09bafc20 00000000`00000037 : fwpkclnt!FwpsCompleteOperation0+0x1e
    fffff880`03369c00 fffffa80`064f6990 : fffff880`011cf840 fffffa80`09bafc20 00000000`00000037 00000000`000007ff : mfewfpk+0x99c5
    fffff880`03369c08 fffff880`011cf840 : fffffa80`09bafc20 00000000`00000037 00000000`000007ff 00000000`00000050 : 0xfffffa80`064f6990
    fffff880`03369c10 fffffa80`09bafc20 : 00000000`00000037 00000000`000007ff 00000000`00000050 00000000`00000000 : mfewfpk+0x1c840
    fffff880`03369c18 00000000`00000037 : 00000000`000007ff 00000000`00000050 00000000`00000000 fffff800`00000000 : 0xfffffa80`09bafc20
    fffff880`03369c20 00000000`000007ff : 00000000`00000050 00000000`00000000 fffff800`00000000 fffff800`02e3b0dc : 0x37
    fffff880`03369c28 00000000`00000050 : 00000000`00000000 fffff800`00000000 fffff800`02e3b0dc 00000000`00000000 : 0x7ff
    fffff880`03369c30 00000000`00000000 : fffff800`00000000 fffff800`02e3b0dc 00000000`00000000 00000000`00060000 : 0x50

    So, it appears that the mfewfpk.sys may be the actual driver causing the crashes rather than the netio.sys.

    The mfewfpk.sys appears to be a driver for McAfee Total Protection. 

    I would suggest to uninstall the McAfee software and see if the problem resolves.

    BTW, are you running a beta version of McAfee? 
    • Marked as answer by Vivian Xing Tuesday, December 8, 2009 8:36 AM
    Thursday, November 12, 2009 2:15 AM
  • I have been running a beta version of McAfee that was part of Windows 7 recommended before the official release. I dumped that version tonight
    and got the final version that Comcast provides. I also did some work with "Verifier" to check drivers that are loaded and not Microsoft. I got a couple
    of bugcheck errors when testing against one driver ATKDispLowFilter.sys. I updated my version of ASUS SmartDoctor for control of my videocards. I reset
    my "Verifier" settings and will see what happens with the changes I made. Thanks much for you input. BTW I am only using the virusscan part of McAfee
    to reduce that footprint. If I see the netio.sys error return I will test against all of the loaded McAfee files with the default and/or custom "Verifier" setttings
    to see if anything gives with them.
    • Marked as answer by Vivian Xing Tuesday, December 8, 2009 8:36 AM
    Thursday, November 12, 2009 4:51 AM

All replies

  • Can you zip up the minidump files and make available via Windows Live SkyDrive or similar site?
    Wednesday, November 11, 2009 3:04 PM
  • I will work on that. Do you have the URL for Windows Live Skydrive? FWIW they are pretty much all alike as far as content goes. Same bugcheck and debug.
    Wednesday, November 11, 2009 3:22 PM
  • It's a good sign if the content is consistent as that is more indicative of a driver problem rather than hardware.

    Here's a link on using Windows Live Skydrive:

    http://social.technet.microsoft.com/Forums/en/w7itproui/thread/4fc10639-02db-4665-993a-08d865088d65
    Wednesday, November 11, 2009 4:13 PM
  • OK, if you look at the IRQL_NOT_LESS_OR_EQUAL Stop Errors it appears the mfewfpk.sys is accessing and possibly corrupting memory prior to the tcpip.sys and the netio.sys. The mfewfpk.sys is "bolded":

    STACK_TEXT: 
    fffff880`033694c8 fffff800`02e7c469 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
    fffff880`033694d0 fffff800`02e7b0e0 : 00000000`00000010 00000000`00000000 00000000`0000000b fffffa80`0661e0a8 : nt!KiBugCheckDispatch+0x69
    fffff880`03369610 fffff800`02e86d4f : 00000000`00000003 00000000`00000000 00000000`00000003 00000000`00000000 : nt!KiPageFault+0x260
    fffff880`033697a0 fffff880`0142b557 : fffffa80`0661d080 fffff880`03369a80 00000000`00006c07 fffff880`014f13de : nt!KeAcquireInStackQueuedSpinLockAtDpcLevel+0x4f
    fffff880`033697f0 fffff880`016e47bd : fffffa80`0b12f350 00000000`00000017 fffffa80`05aa4010 fffff880`03369a80 : NETIO!WfpExpireEntryLru+0x17
    fffff880`03369840 fffff880`016a2d26 : 00000000`00000004 fffff880`00c00032 fffffa80`0735e3b0 fffff880`00000001 : tcpip!WfpAleCloseRemoteEndpointConnection+0x2d
    fffff880`03369870 fffff880`017245bb : fffffa80`0b12f350 fffffa80`0585593a fffffa80`09bafc20 fffffa80`0b12f350 : tcpip! ?? ::FNODOBFM::`string'+0x22592
    fffff880`033699c0 fffff880`01724942 : 00000000`00000000 fffffa80`05855870 fffffa80`064f4c80 fffffa80`09bafc20 : tcpip!WfpAleHandleSendCompletion+0xeb
    fffff880`03369ae0 fffff880`0172eac2 : fffffa80`0552cb60 fffff880`02fd5180 fffffa80`0552cc20 00000000`00000000 : tcpip!WfpAlepAuthorizeSendCompletion+0x32
    fffff880`03369b30 fffff880`01490af2 : fffff880`03369c10 00120006`000b07d9 fffffa80`064f6990 fffffa80`09bafc20 : tcpip!WfpAleCompleteOperation+0x162
    fffff880`03369bd0 fffff880`011bc9c5 : fffffa80`064f6990 fffff880`011cf840 fffffa80`09bafc20 00000000`00000037 : fwpkclnt!FwpsCompleteOperation0+0x1e
    fffff880`03369c00 fffffa80`064f6990 : fffff880`011cf840 fffffa80`09bafc20 00000000`00000037 00000000`000007ff : mfewfpk+0x99c5
    fffff880`03369c08 fffff880`011cf840 : fffffa80`09bafc20 00000000`00000037 00000000`000007ff 00000000`00000050 : 0xfffffa80`064f6990
    fffff880`03369c10 fffffa80`09bafc20 : 00000000`00000037 00000000`000007ff 00000000`00000050 00000000`00000000 : mfewfpk+0x1c840
    fffff880`03369c18 00000000`00000037 : 00000000`000007ff 00000000`00000050 00000000`00000000 fffff800`00000000 : 0xfffffa80`09bafc20
    fffff880`03369c20 00000000`000007ff : 00000000`00000050 00000000`00000000 fffff800`00000000 fffff800`02e3b0dc : 0x37
    fffff880`03369c28 00000000`00000050 : 00000000`00000000 fffff800`00000000 fffff800`02e3b0dc 00000000`00000000 : 0x7ff
    fffff880`03369c30 00000000`00000000 : fffff800`00000000 fffff800`02e3b0dc 00000000`00000000 00000000`00060000 : 0x50

    So, it appears that the mfewfpk.sys may be the actual driver causing the crashes rather than the netio.sys.

    The mfewfpk.sys appears to be a driver for McAfee Total Protection. 

    I would suggest to uninstall the McAfee software and see if the problem resolves.

    BTW, are you running a beta version of McAfee? 
    • Marked as answer by Vivian Xing Tuesday, December 8, 2009 8:36 AM
    Thursday, November 12, 2009 2:15 AM
  • I have been running a beta version of McAfee that was part of Windows 7 recommended before the official release. I dumped that version tonight
    and got the final version that Comcast provides. I also did some work with "Verifier" to check drivers that are loaded and not Microsoft. I got a couple
    of bugcheck errors when testing against one driver ATKDispLowFilter.sys. I updated my version of ASUS SmartDoctor for control of my videocards. I reset
    my "Verifier" settings and will see what happens with the changes I made. Thanks much for you input. BTW I am only using the virusscan part of McAfee
    to reduce that footprint. If I see the netio.sys error return I will test against all of the loaded McAfee files with the default and/or custom "Verifier" setttings
    to see if anything gives with them.
    • Marked as answer by Vivian Xing Tuesday, December 8, 2009 8:36 AM
    Thursday, November 12, 2009 4:51 AM