New
#1
BSOD after enabling Verifier.exe making debug difficult
Hi folks,
I have a new (3 months old) work-issued laptop, running windows 7 and mandatory Symantec PGP (10.3). The laptop has caused trouble from new, with 2-3 BSODs per week, the most frequent manifestation being DRIVER_IRQL_NOT_LESS_OR_EQUAL
Our IT support desk is offering nothing better than taking it for 2 days and re-imaging it, which would leave me without a work laptop for 2 days and a further 2 days of personal time getting myself setup again so I'm trying to debug myself rathern than waste 4 days on something that might not work.
The most seen BSOD is DRIVER_IRQL_NOT_LESS_OR_EQUAL
There's lots of good info here, I've used WinDbg to view my minidumps, but everything points to kernel and common wisdom here suggests it's not that.
Now to my problem, I'm trying to isolate any driver error, but everytime I restart with Verifier.exe enabled I get a (dumpless) BSOD with an error:
!Code:The IO manager has detected a violation by a driver that is being verified... ...PGPwded.sys
PGPwded is a driver for PGP. Scouring the symantec forums, all I find is robust defense of their software, and a claim that the driver is not the cause of BSODs. Fine says I, and I set up Verify.exe to monitor all but the Symantec results, only I keep getting the same error regardless.
Any suggestions for getting verify.exe to get around PGP (PGP is unavoidable).
Sample Dump:
Thanks!
Code:Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\temp\Dumps\033115-49826-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7601.18738.amd64fre.win7sp1_gdr.150128-1513 Machine Name: Kernel base = 0xfffff800`02e66000 PsLoadedModuleList = 0xfffff800`030aa890 Debug session time: Tue Mar 31 09:22:24.010 2015 (UTC + 1:00) System Uptime: 5 days 13:00:24.502 Loading Kernel Symbols ............................................................... ................................................................ ....................................................... Loading User Symbols Loading unloaded module list .................................................. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {fffff800f0a12e40, 2, 0, fffff80002ee018d} Probably caused by : ntkrnlmp.exe ( nt!KiCommitThreadWait+26d ) Followup: MachineOwner --------- 4: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: fffff800f0a12e40, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000000, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: fffff80002ee018d, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003114100 fffff800f0a12e40 CURRENT_IRQL: 2 FAULTING_IP: nt!KiCommitThreadWait+26d fffff800`02ee018d 4d8bb4c040ec2a00 mov r14,qword ptr [r8+rax*8+2AEC40h] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0xA PROCESS_NAME: svchost.exe TRAP_FRAME: fffff88022b34e70 -- (.trap 0xfffff88022b34e70) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=000000001db1fc40 rbx=0000000000000000 rcx=0000000000000049 rdx=00000000000007ff rsi=0000000000000000 rdi=0000000000000000 rip=fffff80002ee018d rsp=fffff88022b35000 rbp=0000000000000001 r8=fffff80002e66000 r9=0000000000000000 r10=ffffffffffffffef r11=fffff880009b3180 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc nt!KiCommitThreadWait+0x26d: fffff800`02ee018d 4d8bb4c040ec2a00 mov r14,qword ptr [r8+rax*8+2AEC40h] ds:fffff800`f0a12e40=???????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff80002eda469 to fffff80002edaec0 STACK_TEXT: fffff880`22b34d28 fffff800`02eda469 : 00000000`0000000a fffff800`f0a12e40 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx fffff880`22b34d30 fffff800`02ed90e0 : fffff880`22b35ab8 fffff800`02edda63 fffff880`00000004 fffffa80`1db1fb50 : nt!KiBugCheckDispatch+0x69 fffff880`22b34e70 fffff800`02ee018d : fffffa80`1db1fb50 fffffa80`1db1fb50 00000000`00000000 00000000`00000004 : nt!KiPageFault+0x260 fffff880`22b35000 fffff800`02edf60a : 00000000`00000000 00000000`00000001 fffffa80`00000049 00000000`00000000 : nt!KiCommitThreadWait+0x26d fffff880`22b35090 fffff800`031d38df : ffff0000`00000002 fffff880`22b353e0 00000000`00000001 fffff880`00000006 : nt!KeWaitForMultipleObjects+0x272 fffff880`22b35350 fffff800`031d3c56 : fffffa80`0d9e6501 fffff800`030101ee 00000000`00000001 fffffa80`1db1fb01 : nt!ObpWaitForMultipleObjects+0x294 fffff880`22b35820 fffff800`02eda153 : fffffa80`1db1fb50 00000000`0b6dfd38 fffff880`22b35a88 00000000`00000000 : nt!NtWaitForMultipleObjects+0xe5 fffff880`22b35a70 00000000`76da186a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 00000000`0b6dfd18 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76da186a STACK_COMMAND: kb FOLLOWUP_IP: nt!KiCommitThreadWait+26d fffff800`02ee018d 4d8bb4c040ec2a00 mov r14,qword ptr [r8+rax*8+2AEC40h] SYMBOL_STACK_INDEX: 3 SYMBOL_NAME: nt!KiCommitThreadWait+26d FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe DEBUG_FLR_IMAGE_TIMESTAMP: 54c996c8 FAILURE_BUCKET_ID: X64_0xA_nt!KiCommitThreadWait+26d BUCKET_ID: X64_0xA_nt!KiCommitThreadWait+26d Followup: MachineOwner ---------