Intermediate BSODs when shutting down/restart/sleep/hibernate computer

Did you check via the HP website as well? Sometimes the laptop manufacturers modify the generic drivers to make them work with their own hardware.

I'm just analysing your new crash dump - it's different again!

The analysis of your latest crash dump points back at the Juniper Network drivers (Pulse Security).

This time it was a:

Code:

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.

Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffff9689e98fb660, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffff9689e98fb5b8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

PROCESS_NAME:  svchost.exe
FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_tdx!TdxCreateTransportAddress

Looking at the stack for the events happening around the failure point we find the following:

Code:

Start memory scan  : 0xffff9689e98fb338 ($csp)
End memory scan    : 0xffff9689e98fd000 (Kernel Stack Base)

               rax : 0xffff9689e98fb440 : 0xfffff80260de8e30 : nt!NonPagedPoolDescriptor+0x470
               rsp : 0xffff9689e98fb338 : 0xfffff80260bbf069 : nt!KiBugCheckDispatch+0x69
               rbp : 0xffff9689e98fb6e0 : 0xffffe68d68fbc8d0 :  !da ""Advapi  ""
0xffff9689e98fb338 : 0xfffff80260bbf069 : nt!KiBugCheckDispatch+0x69
0xffff9689e98fb440 : 0xfffff80260de8e30 : nt!NonPagedPoolDescriptor+0x470
0xffff9689e98fb450 : 0xfffff80260de89c0 : nt!NonPagedPoolDescriptor
0xffff9689e98fb460 : 0xfffff80260de89c8 : nt!NonPagedPoolDescriptor+0x8
0xffff9689e98fb478 : 0xfffff80260bbf410 : nt!KiFastFailDispatch+0xd0
0xffff9689e98fb568 : 0xfffff80260a42c6b : nt!KeSetEvent+0xab
0xffff9689e98fb580 : 0xfffff80260de8e30 : nt!NonPagedPoolDescriptor+0x470
0xffff9689e98fb590 : 0xfffff80260de89c0 : nt!NonPagedPoolDescriptor
0xffff9689e98fb5a0 : 0xfffff80260de89c8 : nt!NonPagedPoolDescriptor+0x8
0xffff9689e98fb628 : 0xfffff800c20f2e74 : tcpip!UdpTlProviderMessage+0x124
0xffff9689e98fb658 : 0xfffff80260bbda1f : nt!KiRaiseSecurityCheckFailure+0x2df
0xffff9689e98fb660 : 0x0000000000000000 :  Trap @ ffff9689e98fb660
0xffff9689e98fb668 : 0xfffff80260a39914 : nt!SepAccessCheck+0x354
0xffff9689e98fb678 : 0xffffe68d68fbc8d0 :  !da ""Advapi  ""
0xffff9689e98fb680 : 0xffffe68d68fbc8d0 :  !da ""Advapi  ""
0xffff9689e98fb6e0 : 0xffffe68d68fbc8d0 :  !da ""Advapi  ""
0xffff9689e98fb738 : 0xfffff80260a7fb06 : nt!SepMaximumAccessCheck+0x1a6
0xffff9689e98fb788 : 0xfffff80260cf9408 : nt!StandardBitMapping
0xffff9689e98fb790 : 0xffffe68d68fbc8d0 :  !da ""Advapi  ""
0xffff9689e98fb7c0 : 0xffffe68d68fbc8d0 :  !da ""Advapi  ""
0xffff9689e98fb808 : 0xfffff80260a39914 : nt!SepAccessCheck+0x354
0xffff9689e98fb810 : 0xffffe68d68fbc8d0 :  !da ""Advapi  ""
0xffff9689e98fb818 : 0xffffe68d68fbc8d0 :  !da ""Advapi  ""
0xffff9689e98fb830 : 0xfffff80260de8e30 : nt!NonPagedPoolDescriptor+0x470
0xffff9689e98fb840 : 0xfffff80260de89c8 : nt!NonPagedPoolDescriptor+0x8
0xffff9689e98fb878 : 0xfffff800c222d000 : tcpip!AleFqbnAttributeName
0xffff9689e98fb898 : 0xffff97818650cb50 : 0xffff978186132a60 : 0xfffff800c0bca180 : tdx!TdxTransportListHead
0xffff9689e98fb8d8 : 0xfffff800c0bb41ec : tdx!TdxCreateTransportAddress+0xac
0xffff9689e98fb930 : 0xffffe68d68fbc8d0 :  !da ""Advapi  ""
0xffff9689e98fb950 : 0xffff97818650cb50 : 0xffff978186132a60 : 0xfffff800c0bca180 : tdx!TdxTransportListHead
0xffff9689e98fb958 : 0xfffff800c0bb5f6e : tdx!TdxTdiDispatchCreate+0x60e
0xffff9689e98fb9d8 : 0xffff9689e98fbed0 : 0xffffe68d701fd2c0 :  !du "\Device\Udp"
0xffff9689e98fb9e8 : 0xfffff80260a3fef9 : nt!IofCallDriver+0x59
*** WARNING: Unable to verify timestamp for NEOFLTR_825_50207.SYS
*** ERROR: Module load completed but symbols could not be loaded for NEOFLTR_825_50207.SYS
0xffff9689e98fba70 : 0x2e74736f68637673 :  !da "svchost.exe"
0xffff9689e98fbb28 : 0xfffff80260f907d4 : nt!IopAllocRealFileObject+0x184
0xffff9689e98fbb68 : 0xfffff80260a3a108 : nt!ExReleaseResourceLite+0xc8
0xffff9689e98fbbb8 : 0xfffff80260a3fef9 : nt!IofCallDriver+0x59
0xffff9689e98fbbf8 : 0xfffff80260f8f1c3 : nt!IopParseDevice+0x773
0xffff9689e98fbc08 : 0xffff9689e98fbed0 : 0xffffe68d701fd2c0 :  !du "\Device\Udp"
0xffff9689e98fbc58 : 0xfffff80260ee21b5 : nt!ObpIncrementHandleCountEx+0x255

Using another command to look at the thread we can explore the failure in more detail ( this probably won't mean much to you but it is for the benefit of other analysts who may be interested, I used the MEX extension for WinDBG which is publically available from Microsoft). The thread has this driver involved and by looking at the IRP we can see where the failure occurred. Tdx.sys is a windows driver so is unlikely to be the problem, my guess is it was passed a bad command from the neofltr_825_50207.sys driver.

Code:

2: kd> .load mex
Mex External 3.0.0.7172 Loaded!
2: kd> !t
Failed to read nt!KeMaximumIncrement. Thread and Wait times may be invalid
Process                        Thread                       CID       TEB              UserTime KernelTime ContextSwitches Wait Reason Time State
svchost.exe (ffff9781a96af580) ffff9781a9ef7700 (E|K|W|R|V) 1d60.2afc 0000000d0a0c3000        0          0              24 UserRequest    0 Running on processor 2

Irp List:
    IRP              File
    ffff97818bf8fc60
ffff9781ac7c97b0

Priority:
Current Base Decrement ForegroundBoost IO Page
    9       8    0         0               0  5

# Child-SP         Return           Call Site
0 ffff9689e98fb338 fffff80260bbf069 nt!KeBugCheckEx
1 ffff9689e98fb340 fffff80260bbf410 nt!KiBugCheckDispatch+0x69
2 ffff9689e98fb480 fffff80260bbda1f nt!KiFastFailDispatch+0xd0
3 ffff9689e98fb660 fffff80260cf0e55 nt!KiRaiseSecurityCheckFailure+0x2df
4 ffff9689e98fb7f0 fffff800c0bb41ec nt!ExAllocatePoolWithTag+0x1a45
5 ffff9689e98fb8e0 fffff800c0bb5f6e tdx!TdxCreateTransportAddress+0xac
6 ffff9689e98fb960 fffff80260a3fef9 tdx!TdxTdiDispatchCreate+0x60e
7 ffff9689e98fb9f0 fffff800c0bf5a22 nt!IofCallDriver+0x59
8 ffff9689e98fba30 0000000000000000 NEOFLTR_825_50207+0x5a22

0: kd> !mex.mirp ffff97818bf8fc60

Irp Details: ffff97818bf8fc60 [ verbose | !ddt | !irp ]

    System buffer    Thread                        Frame Count
    ================ ============================= ===========
    ffff978193102010 ffff9781a9ef7700(svchost.exe)           2

Irp Stack Frame(s)

  # Driver                    Major  Minor Dispatch Routine         Flg Ctrl Status Completion Invoker(s)  Device           File             Context            Completion Routine       Args                                                 
    === ========================= ====== ===== ======================== === ==== ====== ====================== ================ ================ ================== ======================== =====================================================================
->1\Driver\tdxCREATE     0 tdx!TdxTdiDispatchCreate   1   e0 None   Cancel, Success, Error ffff97818650c060ffff9781aaa30080ffff97818650dbb0() NEOFLTR_825_50207+0x5480 ffff9689e98fbd58() 0000000002000000 0000000000000000 0000000000000032
2\Driver\NEOFLTR_825_50207CREATE     0                            1    0 None                          ffff97818650da60ffff9781aaa30080ffff9689e98fbd58() 0000000002000000 0000000000000000 0000000000000032

File Details: ffff9781aaa30080

    Name Device           Driver         Vpb Flags Byte Offset        FsContext       FsContext2 Owning Process
    ==== ================ =========== ====== ===== =========== ================ ================ ==============
ffff97818650c060\Driver\tdx (null)     0           0 0000000000000000 0000000000000000 

The computer that you are using is a G2 and we are using the same computer.
System information or msinfo32 has information on hardware, drivers, problem devices, windows error reporting etc. that are useful in the troubleshooting.
The computer that I am using to type this chat is the same model: G2
Rarely does an OP have the same computer.
One drive and drop box have features to control the share link.
It would be helpful if you post the log file for several days.
Then you could remove it from the thread or turn off the link.
The BETA log collector has more useful log files for troubleshooting.

philc43 said:

Using another command to look at the thread we can explore the failure in more detail ( this probably won't mean much to you but it is for the benefit of other analysts who may be interested, I used the MEX extension for WinDBG which is publically available from Microsoft).

Which link can be used to add the MEX for WinDBG?
Which other links if any are useful to download?
In the search it displayed symbol package depreciation.
Download Windows Symbol Packages for Debugging - Windows drivers | Microsoft Docs
Is that related or unrelated to the extension?

zbook said:

Which link can be used to add the MEX for WinDBG?
Which other links if any are useful to download?
In the search it displayed symbol package depreciation.
Download Windows Symbol Packages for Debugging - Windows drivers | Microsoft Docs
Is that related or unrelated to the extension?

MEX is not the symbol packages - that is something else.

The link you need is https://www.microsoft.com/en-us/download/details.aspx?id=53304

philc43 said:

Did you check via the HP website as well? Sometimes the laptop manufacturers modify the generic drivers to make them work with their own hardware.

I'm just analysing your new crash dump - it's different again!

Yes, on HPs website it's even older.
Though I found a newer one on Intels site but still getting BSOD, see attached.

Is this also Pulse Secure?

It is the Network driver again:

Code:

6: kd> !kdexts.irp ffff878c5a66a570
Irp is active with 4 stacks 3 is current (= 0xffff878c5a66a6d0)
 No Mdl: No System Buffer: Thread 00000000:  Irp stack trace.  
     cmd  flg cl Device   File     Completion-Context
 [N/A(0), N/A(0)]
            0  0 00000000 00000000 00000000-00000000    

			Args: 00000000 00000000 00000000 00000000
 [N/A(0), N/A(0)]
            0  0 00000000 00000000 00000000-00000000    

			Args: 00000000 00000000 00000000 00000000
>[IRP_MJ_POWER(16), IRP_MN_SET_POWER(2)]
            0 e1 ffff878c4522a050 00000000 fffff8031e304060-ffff878c57a8e980 Success Error Cancel pending
Unable to load image \SystemRoot\system32\DRIVERS\e1d65x64.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for e1d65x64.sys
*** ERROR: Module load completed but symbols could not be loaded for e1d65x64.sys
\Driver\e1dexpress	nt!PopSystemIrpCompletion
			Args: 00015500 00000000 00000005 00000003
 [N/A(0), N/A(0)]
            0  0 00000000 00000000 00000000-ffff878c57a8e980    

			Args: 00000000 00000000 00000000 00000000

Sometimes you have to go back to the older HP driver to get it to work.

So I uninstalled the current one and install the HP one.

Then after a few hours the wifi stopped working and I had to reboot and got a new BSOD, see attached.

There are two log collectors: DM and BETA.
The BETA log collector will collect more useful folders and files.
At some time the BETA log collector will replace the DM log collector.
The link for the BETA log collector is in the lower half of this web page.
Please run the BETA log collector now and post a new zip into the thread.

After each BSOD:
a) run the BETA log collector and post a new zip into the thread
b) open file explorer > this PC > C: > in the right upper corner search for: C:\windows\memory.dmp > if the file size is < 1.5 GB then zip and post a share link into the thread using one drive, drive box, or google drive.

Uninstall Mcafee AV using the applicable uninstall tool:
http://download.mcafee.com/products/...tches/MCPR.exe

After uninstalling Mcafee AV make sure that Windows defender is on.

What logs are you missing?

I have 32GB of memory so the memory.dmp is large.

What's the purpose of uninstalling McAfee?