New
#11
Did you check via the HP website as well? Sometimes the laptop manufacturers modify the generic drivers to make them work with their own hardware.
I'm just analysing your new crash dump - it's different again!
Did you check via the HP website as well? Sometimes the laptop manufacturers modify the generic drivers to make them work with their own hardware.
I'm just analysing your new crash dump - it's different again!
The analysis of your latest crash dump points back at the Juniper Network drivers (Pulse Security).
This time it was a:Looking at the stack for the events happening around the failure point we find the following:Code:KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. Arguments: Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove). Arg2: ffff9689e98fb660, Address of the trap frame for the exception that caused the bugcheck Arg3: ffff9689e98fb5b8, Address of the exception record for the exception that caused the bugcheck Arg4: 0000000000000000, Reserved PROCESS_NAME: svchost.exe FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_tdx!TdxCreateTransportAddress
Using another command to look at the thread we can explore the failure in more detail ( this probably won't mean much to you but it is for the benefit of other analysts who may be interested, I used the MEX extension for WinDBG which is publically available from Microsoft). The thread has this driver involved and by looking at the IRP we can see where the failure occurred. Tdx.sys is a windows driver so is unlikely to be the problem, my guess is it was passed a bad command from the neofltr_825_50207.sys driver.Code:Start memory scan : 0xffff9689e98fb338 ($csp) End memory scan : 0xffff9689e98fd000 (Kernel Stack Base) rax : 0xffff9689e98fb440 : 0xfffff80260de8e30 : nt!NonPagedPoolDescriptor+0x470 rsp : 0xffff9689e98fb338 : 0xfffff80260bbf069 : nt!KiBugCheckDispatch+0x69 rbp : 0xffff9689e98fb6e0 : 0xffffe68d68fbc8d0 : !da ""Advapi "" 0xffff9689e98fb338 : 0xfffff80260bbf069 : nt!KiBugCheckDispatch+0x69 0xffff9689e98fb440 : 0xfffff80260de8e30 : nt!NonPagedPoolDescriptor+0x470 0xffff9689e98fb450 : 0xfffff80260de89c0 : nt!NonPagedPoolDescriptor 0xffff9689e98fb460 : 0xfffff80260de89c8 : nt!NonPagedPoolDescriptor+0x8 0xffff9689e98fb478 : 0xfffff80260bbf410 : nt!KiFastFailDispatch+0xd0 0xffff9689e98fb568 : 0xfffff80260a42c6b : nt!KeSetEvent+0xab 0xffff9689e98fb580 : 0xfffff80260de8e30 : nt!NonPagedPoolDescriptor+0x470 0xffff9689e98fb590 : 0xfffff80260de89c0 : nt!NonPagedPoolDescriptor 0xffff9689e98fb5a0 : 0xfffff80260de89c8 : nt!NonPagedPoolDescriptor+0x8 0xffff9689e98fb628 : 0xfffff800c20f2e74 : tcpip!UdpTlProviderMessage+0x124 0xffff9689e98fb658 : 0xfffff80260bbda1f : nt!KiRaiseSecurityCheckFailure+0x2df 0xffff9689e98fb660 : 0x0000000000000000 : Trap @ ffff9689e98fb660 0xffff9689e98fb668 : 0xfffff80260a39914 : nt!SepAccessCheck+0x354 0xffff9689e98fb678 : 0xffffe68d68fbc8d0 : !da ""Advapi "" 0xffff9689e98fb680 : 0xffffe68d68fbc8d0 : !da ""Advapi "" 0xffff9689e98fb6e0 : 0xffffe68d68fbc8d0 : !da ""Advapi "" 0xffff9689e98fb738 : 0xfffff80260a7fb06 : nt!SepMaximumAccessCheck+0x1a6 0xffff9689e98fb788 : 0xfffff80260cf9408 : nt!StandardBitMapping 0xffff9689e98fb790 : 0xffffe68d68fbc8d0 : !da ""Advapi "" 0xffff9689e98fb7c0 : 0xffffe68d68fbc8d0 : !da ""Advapi "" 0xffff9689e98fb808 : 0xfffff80260a39914 : nt!SepAccessCheck+0x354 0xffff9689e98fb810 : 0xffffe68d68fbc8d0 : !da ""Advapi "" 0xffff9689e98fb818 : 0xffffe68d68fbc8d0 : !da ""Advapi "" 0xffff9689e98fb830 : 0xfffff80260de8e30 : nt!NonPagedPoolDescriptor+0x470 0xffff9689e98fb840 : 0xfffff80260de89c8 : nt!NonPagedPoolDescriptor+0x8 0xffff9689e98fb878 : 0xfffff800c222d000 : tcpip!AleFqbnAttributeName 0xffff9689e98fb898 : 0xffff97818650cb50 : 0xffff978186132a60 : 0xfffff800c0bca180 : tdx!TdxTransportListHead 0xffff9689e98fb8d8 : 0xfffff800c0bb41ec : tdx!TdxCreateTransportAddress+0xac 0xffff9689e98fb930 : 0xffffe68d68fbc8d0 : !da ""Advapi "" 0xffff9689e98fb950 : 0xffff97818650cb50 : 0xffff978186132a60 : 0xfffff800c0bca180 : tdx!TdxTransportListHead 0xffff9689e98fb958 : 0xfffff800c0bb5f6e : tdx!TdxTdiDispatchCreate+0x60e 0xffff9689e98fb9d8 : 0xffff9689e98fbed0 : 0xffffe68d701fd2c0 : !du "\Device\Udp" 0xffff9689e98fb9e8 : 0xfffff80260a3fef9 : nt!IofCallDriver+0x59 *** WARNING: Unable to verify timestamp for NEOFLTR_825_50207.SYS *** ERROR: Module load completed but symbols could not be loaded for NEOFLTR_825_50207.SYS 0xffff9689e98fba70 : 0x2e74736f68637673 : !da "svchost.exe" 0xffff9689e98fbb28 : 0xfffff80260f907d4 : nt!IopAllocRealFileObject+0x184 0xffff9689e98fbb68 : 0xfffff80260a3a108 : nt!ExReleaseResourceLite+0xc8 0xffff9689e98fbbb8 : 0xfffff80260a3fef9 : nt!IofCallDriver+0x59 0xffff9689e98fbbf8 : 0xfffff80260f8f1c3 : nt!IopParseDevice+0x773 0xffff9689e98fbc08 : 0xffff9689e98fbed0 : 0xffffe68d701fd2c0 : !du "\Device\Udp" 0xffff9689e98fbc58 : 0xfffff80260ee21b5 : nt!ObpIncrementHandleCountEx+0x255
Code:2: kd> .load mex Mex External 3.0.0.7172 Loaded! 2: kd> !t Failed to read nt!KeMaximumIncrement. Thread and Wait times may be invalid Process Thread CID TEB UserTime KernelTime ContextSwitches Wait Reason Time State svchost.exe (ffff9781a96af580) ffff9781a9ef7700 (E|K|W|R|V) 1d60.2afc 0000000d0a0c3000 0 0 24 UserRequest 0 Running on processor 2 Irp List: IRP File ffff97818bf8fc60 ffff9781ac7c97b0 Priority: Current Base Decrement ForegroundBoost IO Page 9 8 0 0 0 5 # Child-SP Return Call Site 0 ffff9689e98fb338 fffff80260bbf069 nt!KeBugCheckEx 1 ffff9689e98fb340 fffff80260bbf410 nt!KiBugCheckDispatch+0x69 2 ffff9689e98fb480 fffff80260bbda1f nt!KiFastFailDispatch+0xd0 3 ffff9689e98fb660 fffff80260cf0e55 nt!KiRaiseSecurityCheckFailure+0x2df 4 ffff9689e98fb7f0 fffff800c0bb41ec nt!ExAllocatePoolWithTag+0x1a45 5 ffff9689e98fb8e0 fffff800c0bb5f6e tdx!TdxCreateTransportAddress+0xac 6 ffff9689e98fb960 fffff80260a3fef9 tdx!TdxTdiDispatchCreate+0x60e 7 ffff9689e98fb9f0 fffff800c0bf5a22 nt!IofCallDriver+0x59 8 ffff9689e98fba30 0000000000000000 NEOFLTR_825_50207+0x5a22 0: kd> !mex.mirp ffff97818bf8fc60 Irp Details: ffff97818bf8fc60 [ verbose | !ddt | !irp ] System buffer Thread Frame Count ================ ============================= =========== ffff978193102010 ffff9781a9ef7700(svchost.exe) 2 Irp Stack Frame(s) # Driver Major Minor Dispatch Routine Flg Ctrl Status Completion Invoker(s) Device File Context Completion Routine Args === ========================= ====== ===== ======================== === ==== ====== ====================== ================ ================ ================== ======================== ===================================================================== ->1\Driver\tdxCREATE 0 tdx!TdxTdiDispatchCreate 1 e0 None Cancel, Success, Error ffff97818650c060ffff9781aaa30080ffff97818650dbb0() NEOFLTR_825_50207+0x5480 ffff9689e98fbd58() 0000000002000000 0000000000000000 0000000000000032 2\Driver\NEOFLTR_825_50207CREATE 0 1 0 None ffff97818650da60ffff9781aaa30080ffff9689e98fbd58() 0000000002000000 0000000000000000 0000000000000032 File Details: ffff9781aaa30080 Name Device Driver Vpb Flags Byte Offset FsContext FsContext2 Owning Process ==== ================ =========== ====== ===== =========== ================ ================ ============== ffff97818650c060\Driver\tdx (null) 0 0 0000000000000000 0000000000000000
The computer that you are using is a G2 and we are using the same computer.
System information or msinfo32 has information on hardware, drivers, problem devices, windows error reporting etc. that are useful in the troubleshooting.
The computer that I am using to type this chat is the same model: G2
Rarely does an OP have the same computer.
One drive and drop box have features to control the share link.
It would be helpful if you post the log file for several days.
Then you could remove it from the thread or turn off the link.
The BETA log collector has more useful log files for troubleshooting.
Which link can be used to add the MEX for WinDBG?
Which other links if any are useful to download?
In the search it displayed symbol package depreciation.
Download Windows Symbol Packages for Debugging - Windows drivers | Microsoft Docs
Is that related or unrelated to the extension?
MEX is not the symbol packages - that is something else.
The link you need is https://www.microsoft.com/en-us/download/details.aspx?id=53304
It is the Network driver again:
Sometimes you have to go back to the older HP driver to get it to work.Code:6: kd> !kdexts.irp ffff878c5a66a570 Irp is active with 4 stacks 3 is current (= 0xffff878c5a66a6d0) No Mdl: No System Buffer: Thread 00000000: Irp stack trace. cmd flg cl Device File Completion-Context [N/A(0), N/A(0)] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [N/A(0), N/A(0)] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 >[IRP_MJ_POWER(16), IRP_MN_SET_POWER(2)] 0 e1 ffff878c4522a050 00000000 fffff8031e304060-ffff878c57a8e980 Success Error Cancel pending Unable to load image \SystemRoot\system32\DRIVERS\e1d65x64.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for e1d65x64.sys *** ERROR: Module load completed but symbols could not be loaded for e1d65x64.sys \Driver\e1dexpress nt!PopSystemIrpCompletion Args: 00015500 00000000 00000005 00000003 [N/A(0), N/A(0)] 0 0 00000000 00000000 00000000-ffff878c57a8e980 Args: 00000000 00000000 00000000 00000000
So I uninstalled the current one and install the HP one.
Then after a few hours the wifi stopped working and I had to reboot and got a new BSOD, see attached.
There are two log collectors: DM and BETA.
The BETA log collector will collect more useful folders and files.
At some time the BETA log collector will replace the DM log collector.
The link for the BETA log collector is in the lower half of this web page.
Please run the BETA log collector now and post a new zip into the thread.
After each BSOD:
a) run the BETA log collector and post a new zip into the thread
b) open file explorer > this PC > C: > in the right upper corner search for: C:\windows\memory.dmp > if the file size is < 1.5 GB then zip and post a share link into the thread using one drive, drive box, or google drive.
Uninstall Mcafee AV using the applicable uninstall tool:
http://download.mcafee.com/products/...tches/MCPR.exe
After uninstalling Mcafee AV make sure that Windows defender is on.
What logs are you missing?
I have 32GB of memory so the memory.dmp is large.
What's the purpose of uninstalling McAfee?