BSOD On Startup After Installing KB3070102

[dave1977nj]

I just installed all of the new windows updates today 7/14/2015. After a reboot I got a BSOD. I narrowed it down by removing one by one of 14 updates and the one that is causing the BSOD on startup is KB3070102.


*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff960000f29ec, Address of the instruction which caused the bugcheck
Arg3: fffff88002f79020, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
win32k!AllocateW32Process+44
fffff960`000f29ec ff1526161f00 call qword ptr [win32k!_imp_ExAllocatePoolWithQuotaTag (fffff960`002e4018)]

CONTEXT: fffff88002f79020 -- (.cxr 0xfffff88002f79020)
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000029
rdx=0000000000000328 rsi=fffffa800a655b30 rdi=0000000000000328
rip=fffff960000f29ec rsp=fffff88002f79a00 rbp=00000000000002f0
r8=0000000069707355 r9=0000000000000010 r10=fffffa800a655b00
r11=000007fffffd8000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000064
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
win32k!AllocateW32Process+0x44:
fffff960`000f29ec ff1526161f00 call qword ptr [win32k!_imp_ExAllocatePoolWithQuotaTag (fffff960`002e4018)] ds:002b:fffff960`002e4018=00000000003113b2
Resetting default scope

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: csrss.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff960000e7a7e to fffff960000f29ec

STACK_TEXT:
fffff880`02f79a00 fffff960`000e7a7e : 00000000`00000000 fffffa80`0a655b30 00000000`00000000 00000000`00000000 : win32k!AllocateW32Process+0x44
fffff880`02f79a30 fffff960`000eb03c : 00000000`00000001 00000000`00000003 00000000`00000003 fffff800`030cd7fb : win32k!xxxSetProcessInitState+0x2a
fffff880`02f79a60 fffff960`000eaf56 : 00000000`00000003 00000000`00000a7c 00000000`000002f0 00000000`00000000 : win32k!xxxUserNotifyProcessCreate+0xbc
fffff880`02f79ab0 fffff800`030c2f13 : fffffa80`0a739730 fffff880`02f79b60 00000000`00000000 00000000`000001a8 : win32k!NtUserNotifyProcessCreate+0x5e
fffff880`02f79ae0 000007fe`fd35148a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0172f688 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7fe`fd35148a


FOLLOWUP_IP:
win32k!AllocateW32Process+44
fffff960`000f29ec ff1526161f00 call qword ptr [win32k!_imp_ExAllocatePoolWithQuotaTag (fffff960`002e4018)]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: win32k!AllocateW32Process+44

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 558bc095

STACK_COMMAND: .cxr 0xfffff88002f79020 ; kb

FAILURE_BUCKET_ID: X64_0x3B_win32k!AllocateW32Process+44

BUCKET_ID: X64_0x3B_win32k!AllocateW32Process+44

Followup: MachineOwner

 

[DavidE]

Hello dave1977nj,

I have the same problem, BSOD caused by installing update KB3070102.
This is on my Test box, not the PC in my SF specs.
For me, it BSOD's when I click on my Username icon to log into Windows normally (Win 7 x64).

I can boot in Safe Mode and Safe Mode with Networking with KB3070102 installed, and login to Windows.

Just letting you know you are not the only one with this problem.

This update is for a Windows kernel-mode driver :shock:
https://support.microsoft.com/en-us/kb/3070102

I've been playing around with BIOS settings to see if i could find a change to fix it.
No luck so far.

 

[gdfsgdfg]

I haven't got a bsod with all the new updates even kb3070102 and I have played gta v for a bit.

But I have uninstalled it and will hide it immediately.

 

[dave1977nj]

If anyone figures this problem out it would be greatly appreciated. I am also trying to work on it.

 

[chiko]

Fixed for me but disabling a driver AnitLog64.sys

I had same problem and traced it back to KB3070102 MS15-073.

Would BSOD shortly after providing password but Safe Mode worked find.

Through other search found the thread about using Verifier utility to check all non-Microsoft drivers and traced it back to this one. I used Device Manager / Show Hidden non-plug and play drivers to set AntiLog32 to startup disabled. Despite what shows in Device manager the binaries are signed.
Its supposed to be anti-keylogger from Zemana Ltd. I dont particularly recognize this piece of anti-malware. I am using Norton Security Suite 21.7 which I like OK. Norton was installed as part of a security suite from Comcast Constant Guard. I hate the other elements from Comcast and only use the Norton element but I am guessing this is where the anti-logger came from in the suite.

Make sure you read the full instructions about how to turn the driver verifier off.
Driver Verifier-- tracking down a mis-behaving driver. - Microsoft Community

For now I have decided that I am more paranoid about Elevation of privilege vulnerability than I am about keylogger protection. Verifier might find something else on a different setup.

 

[DavidE]

I use Zemana Antilogger.
I disabled the AntiLog32 driver, disabled Zemana in msconfig startup, re-installed KB3070102, and re-booted.
I don't get a BSOD after disabling Zemana

Thanks chiko for the great help and welcome to Seven Forums !

 

[Thenin]

I had the same BSOD on two different computers, and by trying to install 18 pending Windows Updates one by one, I've absolutely confirmed that KB3070102 IS the problem. And I do not have any of those drivers installed, so it is wrong to blame anything other than a buggy implementation of KB3070102.

Microsoft, of course, denies everything!

See, for example, BSOD on startup KB3070102 - Microsoft Community

 

[chiko]

Try the verifier steps that I linked to and that your link also shows. That is how I found it.
You may just have some other driver that is causing the issue.
Then you can decide which you care about more.
FYI - I ran Verifier after doing the patch and no more problems were found. Ran like crap but no BSOD.