none
tcpip.sys Driver_IRQL_NOT_LESS_OR_EQUAL blue screen error

    Question

  • I just bought an Asus A43SA less than a week ago. Today, I suddenly started getting BSODs today, and it became pretty frequent. The BSOD had something to do with tcpip.sys Driver_IRQL_NOT_LESS_OR_EQUAL , with my limited understanding from reading the Microsoft website, it seems to be related to drivers or something about using broadband usb and the laptop going into hibernating mode??

    I am using a usb broadband modem and I did go into hibernating mode often, which means the internet connection got cut while in hibernation and automatically kick in when I start the laptop and the usb modem is detected. Not sure if this is the cause, but I am just stating this just in case it's relevant.

    Other information that may be relevant:

    The only driver installation I recalled doing today was the Windows update.

    I did a system restore to before the Windows update ran, still the same BSOD

    I used Advanced Care System 5 from IoBit and I just noticed today that the program just closes itself when half-way scanning though malware. It only happens when I scan for malwares, scanning registry keys and other stuff worked. I deleted it and re-installed, but same thing, so I deleted it again.

    I accidentally used CCleaner to clean my registry this morning and realised that it was a bad idea, so I restored the backup.

    I have IoBit Malware fighter, Microsoft Security Essential, Trend Micro Titanium Internet Security, I previously installed Super AdBlocker but deleted it 2 days ago.

    SFC scan showed that there's corrupted files but couldn't fix it, I tried opening cbs log but I kept getting "access denied"

     

    link to dump file

    https://skydrive.live.com/redir.aspx?cid=815e0ba83d10a98a&resid=815E0BA83D10A98A!2851&parid=815E0BA83D10A98A!2762&authkey=!AAnu-OrE3QOrn2E

     link to cbs log

    https://skydrive.live.com/redir.aspx?cid=815e0ba83d10a98a&resid=815E0BA83D10A98A!2852&parid=815E0BA83D10A98A!2762&authkey=!AHNqL8Xvcb2X6qU

     

     

    test

    Monday, December 19, 2011 5:48 PM

Answers

  • For the BSOD issue, we need to analyze the kernal dump file, this is beyond our ability in the forum. I suggest you contact Microsoft Customer Service: http://support.microsoft.com

    Thanks for your understanding and cooperation!

    Regards,

    Miya


    Miya Yao

    TechNet Community Support

    Wednesday, December 21, 2011 5:10 AM
    Moderator

All replies

  • The Stop 0x000000D1 (DRIVER_IRQL_NOT_LESS_OR_EQUAL) indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high. This bug check is usually caused by drivers that have used improper addresses.
    According to the dump files you've uploaded, the faulting module was wanarp.sys, the Microsoft Remote Access and Routing ARP Driver.
    Firt of all, I suggest you to try disabling all of your antivirus/antispyware programs except for one (you can choose which one): only one such a program must be active at any time in the system.
    You could also try updating your network card driver to see if this problem persists or disappears.

    Bye.


    Luigi Bruno - Microsoft Community Contributor 2011 Award
    Monday, December 19, 2011 6:44 PM
    Moderator
  • Hmm.....is there no way to know what is using the wanarp.sys or a way to fix it??

     

    I disabled  the anti-virus programs as only left Microsoft Security Essential running. I just remembered that I installed  Trend Micro Titanium Internet Security few hours before BSOD started. Could it be the culprit? It came with the laptop and had a one year key, so I thought it wouldn't be any harm activating it.

     

    I updated my network card drive Atheros AR9002WB-1NG wireless network adapter, after the BSOD started, it didn't help, I still get BSOD.

     

    I will report back again to see if the BSOD presists after deactivating Trend Micro Titanium INternet Security and IoBit Malware fighter, only leaving Microsoft Security Essentials running.

     

    What about the CBS log for SFC scan?? Does it say that wanarp.sys is the corrupted file?

    Monday, December 19, 2011 9:31 PM
  • The CBS.log file that you've uploaded does not contain any entry related to the wanarp.sys file.

    Bye.


    Luigi Bruno - Microsoft Community Contributor 2011 Award
    Monday, December 19, 2011 9:40 PM
    Moderator
  • *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 000000000000001c, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
    Arg4: fffff8800195a87e, address which referenced memory
    Debugging Details:
    ------------------
    WRITE_ADDRESS: GetPointerFromAddress: unable to read from fffff800032bb100
     000000000000001c 
    CURRENT_IRQL:  2
    FAULTING_IP: 
    tcpip!TcpBeginTcbSend+33e
    fffff880`0195a87e f083401c01      lock add dword ptr [rax+1Ch],1
    CUSTOMER_CRASH_COUNT:  1
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    BUGCHECK_STR:  0xD1
    PROCESS_NAME:  System
    TRAP_FRAME:  fffff88005dcafa0 -- (.trap 0xfffff88005dcafa0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=fffffa8007a353c0
    rdx=fffffa8007a35478 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff8800195a87e rsp=fffff88005dcb130 rbp=fffff88005dcb240
     r8=fffffa8007a353b0  r9=fffffa8007a353c0 r10=fffffa8007a352f0
    r11=fffff88005dcb314 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl nz na pe nc
    tcpip!TcpBeginTcbSend+0x33e:
    fffff880`0195a87e f083401c01      lock add dword ptr [rax+1Ch],1 ds:0002:00000000`0000001c=????????
    Resetting default scope
    LAST_CONTROL_TRANSFER:  from fffff800030881e9 to fffff80003088c40
    STACK_TEXT:  
    fffff880`05dcae58 fffff800`030881e9 : 00000000`0000000a 00000000`0000001c 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
    fffff880`05dcae60 fffff800`03086e60 : fffff880`05dcb170 fffff880`05dcb010 fffff880`05dcaff0 00000000`00000001 : nt!KiBugCheckDispatch+0x69
    fffff880`05dcafa0 fffff880`0195a87e : 00000000`00000001 fffffa80`09dc4a10 fffffa80`09ab8000 fffffa80`0be52580 : nt!KiPageFault+0x260
    fffff880`05dcb130 fffff880`0195eb29 : ffff0000`047a1303 ffff0000`047a1333 00000000`00000014 00000000`00000001 : tcpip!TcpBeginTcbSend+0x33e
    fffff880`05dcb3b0 fffff880`0197ad66 : 00000000`00000000 fffffa80`04893001 fffff880`01a6a128 00000000`00000000 : tcpip!TcpTcbSend+0x1d9
    fffff880`05dcb630 fffff880`0195a325 : fffffa80`03f6b000 00000000`00000000 00000000`00000000 fffff880`05dcb900 : tcpip!TcpFlushDelay+0x316
    fffff880`05dcb710 fffff880`019511c7 : fffffa80`04901900 fffffa80`04905000 fffffa80`000087c6 00000000`000087c6 : tcpip!TcpPreValidatedReceive+0x3e5
    fffff880`05dcb7e0 fffff880`01950d3a : 00000000`00000000 fffff880`01a709a0 fffff880`05dcb9a0 fffffa80`0850a030 : tcpip!IppDeliverListToProtocol+0x97
    fffff880`05dcb8a0 fffff880`01950339 : fffffa80`065f3000 00000000`00000000 fffff880`05dcb900 fffff880`05dcb990 : tcpip!IppProcessDeliverList+0x5a
    fffff880`05dcb940 fffff880`0194e0af : 00000000`006e7369 fffffa80`06605000 fffff880`01a709a0 00000000`00000001 : tcpip!IppReceiveHeaderBatch+0x23a
    fffff880`05dcba20 fffff880`015e0327 : fffffa80`09029170 00000000`00000000 00000000`00000001 fffffa80`00000001 : tcpip!IpFlcReceivePackets+0x64f
    fffff880`05dcbc20 fffff880`017590eb : 00000000`00000002 00000000`00000000 00000000`00000000 fffffa80`07362840 : wanarp!WanNdisReceivePackets+0x317
    fffff880`05dcbcd0 fffff880`01722c75 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!ndisMIndicateNetBufferListsToOpen+0xdb
    fffff880`05dcbd40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!ndisMDispatchReceiveNetBufferLists+0x375
    STACK_COMMAND:  kb
    FOLLOWUP_IP: 
    wanarp!WanNdisReceivePackets+317
    fffff880`015e0327 f0834350ff      lock add dword ptr [rbx+50h],0FFFFFFFFh
    SYMBOL_STACK_INDEX:  b
    SYMBOL_NAME:  wanarp!WanNdisReceivePackets+317
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: wanarp
    IMAGE_NAME:  wanarp.sys
    DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7a874
    FAILURE_BUCKET_ID:  X64_0xD1_wanarp!WanNdisReceivePackets+317
    BUCKET_ID:  X64_0xD1_wanarp!WanNdisReceivePackets+317
    Followup: MachineOwner
    ---------------------------------------------------------------------------------------------------------------------------------------------------
    ** The Blue Screen Caused By ( wanarp.sys ) : 

    wanarp.sys file information

    The process MS Remote Access and Routing ARP Driver belongs to the software Microsoft Windows Operating System by Microsoft Corporation (www.microsoft.com).

    Description: File wanarp.sys is located in the folder C:\Windows\System32\drivers

     The following actions might prevent an error like this from happening again:

    1. Download and install updates and device drivers for your computer from Windows Update.
    2. Scan your computer for computer viruses.
    3. Check your hard disk for errors.

     

    Regards,

     


    MCP ✦ MCTS ✦ MCITP
    Monday, December 19, 2011 9:46 PM
  • Something turned up. I've been surfing so far (around 30minutes?) without BSODs, I hope it means the BSOD is gone. But for some reason, my anti-malware programs are having issues now?? As I mentioned earlier, Advanced System Care 5 closes during scans for malwares, I just tried scanning with the free version of Malwarebytes. It also closes during the scan.

     

    Does that mean my laptop is infected??


    Also Microsoft Security Essential/client, would close down too suddenly, and I noticed in the event viewer

    "Session "Microsoft Security Client OOBE" stopped due to the following error: 0xC000000D"

     

    EDIT: I ran microsoft security and iobi malware fighter to scan my computer while I was surfing this forum. Clicked a title and the BSOD appeared >.<


    • Edited by ChocChristy Monday, December 19, 2011 10:30 PM
    Monday, December 19, 2011 10:11 PM
  • For the BSOD issue, we need to analyze the kernal dump file, this is beyond our ability in the forum. I suggest you contact Microsoft Customer Service: http://support.microsoft.com

    Thanks for your understanding and cooperation!

    Regards,

    Miya


    Miya Yao

    TechNet Community Support

    Wednesday, December 21, 2011 5:10 AM
    Moderator
  • Boot into safe mode and do a Malwarebytes scan from there.

     

    Jerry

    Wednesday, December 21, 2011 6:59 PM
  • "ChocChristy" wrote in message news:99dbf964-1619-4014-b55c-a45988358081...

    Something turned up. I've been surfing so far (around 30minutes?) without BSODs, I hope it means the BSOD is gone. But for some reason, my anti-malware programs are having issues now?? As I mentioned earlier, Advanced System Care 5 closes during scans for malwares,

     

     
    Advanced System Care may well be the source of your problems, rather than the cure – its registry ‘cleaner’ is more of a destroyer than anything else.
    UNDO any registry changes it’s made recently, and see if that helps.
     

    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Thursday, December 22, 2011 8:58 AM
  • Try the below methods.

    Method 1: To use Last Known Good Configuration.

    To use a Last Known Good Configuration option, follow these steps:

    1.    Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when the Boot Menu appears.

    2.    Use the arrow keys to choose Last Known Good Configuration in Windows Advanced Options menu appears, and then press ENTER.


    If you were able to boot into windows then I suggest you to update the drivers for all hardware’s.

    For more information visit http://windows.microsoft.com/en-us/windows7/Update-a-driver-for-hardware-that-isnt-working-properly


    Also check for event viewer for error messages, which will be helpful for us to help you better.

    For more information visit:

    http://windows.microsoft.com/en-US/windows7/Open-Event-Viewer 

    http://windows.microsoft.com/en-US/windows7/What-information-appears-in-event-logs-Event-Viewer  
    Thursday, December 22, 2011 10:40 AM