BSOD - wdf0100.sys error

[Big3]

I've deployed a new Win 7 x64 OS and installed all updates. Now I am receiving BSOD with references to wdf01000.sys and DRIVER_IRQL_NOT_LESS_OR_EQUAL remarks. Attached is a zip file with two memdumps. Any suggestions on resolving this would be appreciated.

 

[koolkat77]

Allot of important info is missing from your zip, please follow http://www.sevenforums.com/bsod-help-support/96879-blue-screen-death-bsod-posting-instructions.html to grab all and upload a new report here.

 

[Big3]

I've uploaded the DM log collector file above.

 

[koolkat77]

Start Menu\Programs\McAfee	Public:Start Menu\Programs\McAfee	Public

Uninstall McAfee as it is a cause of BSOD's.

Keep MSE only.

Revo Uninstaller:

Use Revo Uninstaller to uninstall stubborn software.

• Download and install the software
• Opt for Advance Mode while uninstalling which allows you to remove leftover registry.
• Download Revo Uninstaller Freeware - Free and Full Download - Uninstall software, remove programs, solve uninstall problems

---

Microsoft Security Essentials is recommended from a strict BSOD perspective, compatibility & stability compared to other internet security software. Malwarebytes is a great combo to MSE. They are free and lightweight.

Also uninstall your existing Antivirus software before you install MSE.

http://www.sevenforums.com/system-security/206705-good-free-system-security-combination.html

   Warning

Do not start the free trial of Malware Bytes; remember to deselect that option when prompted.

 Clean boot

• http://www.sevenforums.com/tutorial...ation-conflicts-performing-clean-startup.html

Reduce items at start-up. No software except anti-virus is required plus doing this improves the time for logging into windows:

• How to Change, Add, or Remove Startup Programs in Windows 7

Run the System File Checker that scans the of all protected Windows 7 system files and replaces incorrect corrupted, changed/modified, or damaged versions with the correct versions if possible:

• Click on the rb:
• Type CMD on Search
• Left click and Run as Administrator
• Type SFC /scannow

Full tutorial here:

• http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html

[FONT="Lucida Console"]
Microsoft (R) Windows Debugger Version 6.3.9600.16384 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\YUSRA\Downloads\Compressed\CCIU-I-105-Thu_01_29_2015_163357_10\012915-28735-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (24 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18700.amd64fre.win7sp1_gdr.141211-1742
Machine Name:
Kernel base = 0xfffff800`0384d000 PsLoadedModuleList = 0xfffff800`03a90890
Debug session time: Thu Jan 29 06:18:41.862 2015 (UTC + 6:00)
System Uptime: 0 days 4:13:49.192
Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................................
................................................................
................................................................
.........
Loading User Symbols
Loading unloaded module list
........................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {ffffffffffffffe8, 2, 0, fffff88000ea31d9}

*** WARNING: Unable to verify timestamp for Wdf01000.sys
*** ERROR: Module load completed but symbols could not be loaded for Wdf01000.sys
Unable to open image file: C:\ProgramData\dbg\sym\Wdf01000.sys\51C51641c2000\Wdf01000.sys
The system cannot find the file specified.

Probably caused by : Wdf01000.sys ( Wdf01000+171d9 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffffffffffffffe8, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88000ea31d9, address which referenced memory

Debugging Details:
------------------

Unable to open image file: C:\ProgramData\dbg\sym\Wdf01000.sys\51C51641c2000\Wdf01000.sys
The system cannot find the file specified.


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003afa100
GetUlongFromAddress: unable to read from fffff80003afa1c0
 ffffffffffffffe8 

CURRENT_IRQL:  2

FAULTING_IP: 
Wdf01000+171d9
fffff880`00ea31d9 483950e8        cmp     qword ptr [rax-18h],rdx

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  System

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre

TRAP_FRAME:  fffff880009ff3b0 -- (.trap 0xfffff880009ff3b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa80401fe0f0
rdx=fffffa80745fc6a8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88000ea31d9 rsp=fffff880009ff540 rbp=fffff880009ff5b8
 r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
r11=fffff80003a3de80 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe cy
Wdf01000+0x171d9:
fffff880`00ea31d9 483950e8        cmp     qword ptr [rax-18h],rdx ds:ffffffff`ffffffe8=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800038c3429 to fffff800038c3e80

STACK_TEXT:  
fffff880`009ff268 fffff800`038c3429 : 00000000`0000000a ffffffff`ffffffe8 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`009ff270 fffff800`038c20a0 : 00000000`00000000 fffffa80`32957b50 00000000`00000010 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff880`009ff3b0 fffff880`00ea31d9 : fffffa80`32957b50 fffff800`03a3de80 fffffa80`32957c10 00000000`00000000 : nt!KiPageFault+0x260
fffff880`009ff540 fffffa80`32957b50 : fffff800`03a3de80 fffffa80`32957c10 00000000`00000000 00000000`00000000 : Wdf01000+0x171d9
fffff880`009ff548 fffff800`03a3de80 : fffffa80`32957c10 00000000`00000000 00000000`00000000 fffffa80`401fe020 : 0xfffffa80`32957b50
fffff880`009ff550 fffffa80`32957c10 : 00000000`00000000 00000000`00000000 fffffa80`401fe020 fffffa80`401fd5f0 : nt!KiInitialPCR+0x180
fffff880`009ff558 00000000`00000000 : 00000000`00000000 fffffa80`401fe020 fffffa80`401fd5f0 fffff880`009ff608 : 0xfffffa80`32957c10


STACK_COMMAND:  kb

FOLLOWUP_IP: 
Wdf01000+171d9
fffff880`00ea31d9 483950e8        cmp     qword ptr [rax-18h],rdx

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  Wdf01000+171d9

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Wdf01000

IMAGE_NAME:  Wdf01000.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  51c51641

FAILURE_BUCKET_ID:  X64_0xD1_Wdf01000+171d9

BUCKET_ID:  X64_0xD1_Wdf01000+171d9

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:x64_0xd1_wdf01000+171d9

FAILURE_ID_HASH:  {5bc4ed1b-6fae-55eb-0641-4a955e2d96ba}

Followup: MachineOwner
---------

[/FONT]

 

[Big3]

Is this based on detailed analysis of the data submitted or just a random guess? I have several other similarly configured machines with no BSOD issue using this version of McAfee.

 

[koolkat77]

You may install McAfee back at any time. But first let us wait and observe