Dell E5440 + DW5570 + Win10 = BSOD (ntoskrnl.exe & wfplwfs.sys)

ch3mn3y · 18 Apr 2019

So i have problem, again. Now with different device as I got myself Dell Latitude E5440. It has internal modem - model DW5570 and Windows seems to have problem with it. Or at least its drivers.

If I leave it with Windows Update downloaded drivers it sees SIM card, the carrier and that's all - I cannot use it to connect to network.
However if I install Dells drivers (from E5440 support page - version 6.14.4316.502 ,A00) I get BSODs after reboot if SIM card is present (when rebooting, right after logging in) or if I don't disable modem (after full power off and than on). Till reboot everything is fine...

BlueScreenView shows two problematic processes:
ntoskrnl.exe ntoskrnl.exe+3d4f69 fffff803`1b200000 fffff803`1c045000 0x00e45000 0x0011c3e0
wfplwfs.sys wfplwfs.sys+1180 fffff803`1fc40000 fffff803`1fc70000 0x00030000 0x51ee7251
But it doesn't ring any bells for me.

For now I have only Windows dumps (mini and memory ones). I can make other logs/dumps if needed.
https://drive.google.com/open?id=18e...vcsiMGQRDmXTNG

MrPepka · 18 Apr 2019

Code:

Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [F:\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*
Symbol search path is: SRV*
Executable search path is: 
Windows 10 Kernel Version 18875 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18875.1000.amd64fre.rs_prerelease.190405-1518
Machine Name:
Kernel base = 0xfffff801`27000000 PsLoadedModuleList = 0xfffff801`27a22110
Debug session time: Wed Apr 17 23:37:14.926 2019 (UTC + 2:00)
System Uptime: 0 days 0:02:11.711
Loading Kernel Symbols
......................................Page 2001aa19f too large to be in the dump file.
.........................
................................................................
................................................................
...
Loading User Symbols

Loading unloaded module list
..............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {ffff998a42426d24, 2, 0, fffff8012ba41180}

*** ERROR: Module load completed but symbols could not be loaded for inspect.sys
Probably caused by : wfplwfs.sys ( wfplwfs!L2GetValueFromClassifyContext+d0 )

Followup:     MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffff998a42426d24, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8012ba41180, address which referenced memory

Debugging Details:
------------------


KEY_VALUES_STRING: 1


STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  18875.1000.amd64fre.rs_prerelease.190405-1518

SYSTEM_MANUFACTURER:  Dell Inc.

SYSTEM_PRODUCT_NAME:  Latitude E5440

SYSTEM_SKU:  05DE

SYSTEM_VERSION:  00

BIOS_VENDOR:  Dell Inc.

BIOS_VERSION:  A23

BIOS_DATE:  10/08/2018

BASEBOARD_MANUFACTURER:  Dell Inc.

BASEBOARD_PRODUCT:  0TTRNR

BASEBOARD_VERSION:  A00

DUMP_TYPE:  1

BUGCHECK_P1: ffff998a42426d24

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8012ba41180

READ_ADDRESS: Unable to get offset of nt!_MI_VISIBLE_STATE.SpecialPool
Unable to get value of nt!_MI_VISIBLE_STATE.SessionSpecialPool
 ffff998a42426d24 Nonpaged pool

CURRENT_IRQL:  2

FAULTING_IP: 
wfplwfs!L2GetValueFromClassifyContext+d0
fffff801`2ba41180 833900          cmp     dword ptr [rcx],0

CPU_COUNT: 4

CPU_MHZ: a22

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 45

CPU_STEPPING: 1

CPU_MICROCODE: 6,45,1,0 (F,M,S,R)  SIG: 24'00000000 (cache) 24'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXPNP: 1 (!blackboxpnp)


DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  System

ANALYSIS_SESSION_HOST:  MICHAL

ANALYSIS_SESSION_TIME:  04-18-2019 12:06:43.0629

ANALYSIS_VERSION: 10.0.17763.132 amd64fre

TRAP_FRAME:  fffffc0c7c661450 -- (.trap 0xfffffc0c7c661450)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000158d4800 rbx=0000000000000000 rcx=ffff998a42426d24
rdx=ffff998637c4ebb0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8012ba41180 rsp=fffffc0c7c6615e8 rbp=00f300800b000000
 r8=fffffc0c7c661800  r9=0000000000000000 r10=0000fffff8012ba4
r11=ffffba792ec00000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
wfplwfs!L2GetValueFromClassifyContext+0xd0:
fffff801`2ba41180 833900          cmp     dword ptr [rcx],0 ds:ffff998a`42426d24=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff801273d4f69 to fffff801273c32a0

STACK_TEXT:  
fffffc0c`7c661308 fffff801`273d4f69 : 00000000`0000000a ffff998a`42426d24 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffffc0c`7c661310 fffff801`273d12a5 : 00000000`00000001 ffff9986`30181580 ffff3905`a07f370b 00000000`00000001 : nt!KiBugCheckDispatch+0x69
fffffc0c`7c661450 fffff801`2ba41180 : fffff801`2b9c1568 ffff9986`37b40fd8 00000000`00000000 00000000`00000003 : nt!KiPageFault+0x465
fffffc0c`7c6615e8 fffff801`2b9c1568 : ffff9986`37b40fd8 00000000`00000000 00000000`00000003 fffffc0c`7c661690 : wfplwfs!L2GetValueFromClassifyContext+0xd0
fffffc0c`7c6615f0 fffff801`23e430e9 : fffffc0c`00000003 fffffc0c`7c661690 ffff9986`37b40030 fffff801`2b50c33a : fwpkclnt!FwpiGetValueFromClassifyContext+0x38
fffffc0c`7c661640 fffff801`2b617c77 : fffffc0c`7c661850 00000000`00000002 ffff9986`00000004 fffff801`2b51cec6 : Ndu!NduOutboundMacClassify+0x109
fffffc0c`7c6616c0 fffff801`2ba4176c : ffffca81`8f959140 ffff9986`37c65680 00000000`00000000 00000000`158d4800 : NETIO!KfdClassify2+0x197
fffffc0c`7c661790 fffff801`2b4854a8 : ffff9986`34960850 00000000`00000001 00000000`00000000 33333333`33333333 : wfplwfs!LwfLowerSendNetBufferLists+0x12c
fffffc0c`7c6618d0 fffff801`2b4bc12a : 00000000`00000000 fffffc0c`7c661999 ffff9986`37c4dbf0 ffff9986`37c65780 : ndis!ndisCallSendHandler+0x58
fffffc0c`7c661920 fffff801`2b484b05 : 00000000`00000001 00000000`158d4800 ffff9986`37c50bb0 ffff9986`34d93a00 : ndis!ndisInvokeNextSendHandler+0x1de7a
fffffc0c`7c6619f0 fffff801`2b48601a : ffff9986`3a5a5070 ffff9986`37b3b010 ffff9986`37c50bb0 fffff801`3449081b : ndis!ndisFilterSendNetBufferLists+0xd5
fffffc0c`7c661a30 fffff801`34495269 : 00000000`00080000 ffff9986`37b3b010 ffff9986`158d4800 00000000`00000001 : ndis!NdisFSendNetBufferLists+0x5a
fffffc0c`7c661ae0 fffff801`34487af3 : ffff9986`372f3e90 00000000`00080000 ffff9986`37b3b010 fffff801`27916149 : inspect+0x15269
fffffc0c`7c661b10 fffff801`34487fb3 : ffff9986`372f3e90 ffff9986`34d93a40 ffff9986`37b3b010 ffff9986`379cb050 : inspect+0x7af3
fffffc0c`7c661b40 fffff801`34493cbf : ffff9986`34406010 ffff9986`34d93a40 ffff9986`37b3b010 fffff801`00000000 : inspect+0x7fb3
fffffc0c`7c661b70 fffff801`34494109 : ffff9986`349570e0 00000000`00000000 ffff9986`37b3b3a0 ffff9986`37b3b010 : inspect+0x13cbf
fffffc0c`7c661bc0 fffff801`27336075 : ffff9986`37c65680 00000000`00000080 fffff801`34494010 00002425`bd9bbfff : inspect+0x14109
fffffc0c`7c661c10 fffff801`273ca7ea : ffffca81`8f948180 ffff9986`37c65680 fffff801`27336020 00000000`00000000 : nt!PspSystemThreadStartup+0x55
fffffc0c`7c661c60 00000000`00000000 : fffffc0c`7c662000 fffffc0c`7c65c000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x2a


THREAD_SHA1_HASH_MOD_FUNC:  ee80585109ff063c05bd800c9f84d00c85baff94

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  28389a85533f0818cef6563390262ea139c9cb9e

THREAD_SHA1_HASH_MOD:  db540fc6d3a905712a4af70351df3d9265d5ab82

FOLLOWUP_IP: 
wfplwfs!L2GetValueFromClassifyContext+d0
fffff801`2ba41180 833900          cmp     dword ptr [rcx],0

FAULT_INSTR_CODE:  75003983

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  wfplwfs!L2GetValueFromClassifyContext+d0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: wfplwfs

IMAGE_NAME:  wfplwfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  51ee7251

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  d0

FAILURE_BUCKET_ID:  AV_wfplwfs!L2GetValueFromClassifyContext

BUCKET_ID:  AV_wfplwfs!L2GetValueFromClassifyContext

PRIMARY_PROBLEM_CLASS:  AV_wfplwfs!L2GetValueFromClassifyContext

TARGET_TIME:  2019-04-17T21:37:14.000Z

OSBUILD:  18875

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  1970-01-14 12:24:16

BUILDDATESTAMP_STR:  190405-1518

BUILDLAB_STR:  rs_prerelease

BUILDOSVER_STR:  10.0.18875.1000.amd64fre.rs_prerelease.190405-1518

ANALYSIS_SESSION_ELAPSED_TIME:  2ad5

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_wfplwfs!l2getvaluefromclassifycontext

FAILURE_ID_HASH:  {4f34dcc7-63d7-f181-d87e-bc62cd01b7eb}

Followup:     MachineOwner
---------

The Comodo internet security firewall is to blame:

Code:

2: kd> lmvm inspect
Browse full module list
start             end                 module name
fffff801`34480000 fffff801`344a0000   inspect    (no symbols)           
    Loaded symbol image file: inspect.sys
    Image path: \SystemRoot\system32\DRIVERS\inspect.sys
    Image name: inspect.sys
    Browse all global symbols  functions  data
    Timestamp:        Fri Mar 15 06:31:55 2019 (5C8BB75B)
    CheckSum:         000228C6
    ImageSize:        00020000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:

Uninstall it

zbook · 18 Apr 2019

See posting instructions:

BSOD - Posting Instructions - Windows 10 Forums

ch3mn3y · 19 Apr 2019

@MrPepka
Thanks, that was the problem. I liked this firewall...