Code:
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [F:\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
************* Path validation summary **************
Response Time (ms) Location
Deferred SRV*
Symbol search path is: SRV*
Executable search path is:
Windows 10 Kernel Version 18875 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18875.1000.amd64fre.rs_prerelease.190405-1518
Machine Name:
Kernel base = 0xfffff801`27000000 PsLoadedModuleList = 0xfffff801`27a22110
Debug session time: Wed Apr 17 23:37:14.926 2019 (UTC + 2:00)
System Uptime: 0 days 0:02:11.711
Loading Kernel Symbols
......................................Page 2001aa19f too large to be in the dump file.
.........................
................................................................
................................................................
...
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {ffff998a42426d24, 2, 0, fffff8012ba41180}
*** ERROR: Module load completed but symbols could not be loaded for inspect.sys
Probably caused by : wfplwfs.sys ( wfplwfs!L2GetValueFromClassifyContext+d0 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffff998a42426d24, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8012ba41180, address which referenced memory
Debugging Details:
------------------
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 18875.1000.amd64fre.rs_prerelease.190405-1518
SYSTEM_MANUFACTURER: Dell Inc.
SYSTEM_PRODUCT_NAME: Latitude E5440
SYSTEM_SKU: 05DE
SYSTEM_VERSION: 00
BIOS_VENDOR: Dell Inc.
BIOS_VERSION: A23
BIOS_DATE: 10/08/2018
BASEBOARD_MANUFACTURER: Dell Inc.
BASEBOARD_PRODUCT: 0TTRNR
BASEBOARD_VERSION: A00
DUMP_TYPE: 1
BUGCHECK_P1: ffff998a42426d24
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff8012ba41180
READ_ADDRESS: Unable to get offset of nt!_MI_VISIBLE_STATE.SpecialPool
Unable to get value of nt!_MI_VISIBLE_STATE.SessionSpecialPool
ffff998a42426d24 Nonpaged pool
CURRENT_IRQL: 2
FAULTING_IP:
wfplwfs!L2GetValueFromClassifyContext+d0
fffff801`2ba41180 833900 cmp dword ptr [rcx],0
CPU_COUNT: 4
CPU_MHZ: a22
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 45
CPU_STEPPING: 1
CPU_MICROCODE: 6,45,1,0 (F,M,S,R) SIG: 24'00000000 (cache) 24'00000000 (init)
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXPNP: 1 (!blackboxpnp)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: System
ANALYSIS_SESSION_HOST: MICHAL
ANALYSIS_SESSION_TIME: 04-18-2019 12:06:43.0629
ANALYSIS_VERSION: 10.0.17763.132 amd64fre
TRAP_FRAME: fffffc0c7c661450 -- (.trap 0xfffffc0c7c661450)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000158d4800 rbx=0000000000000000 rcx=ffff998a42426d24
rdx=ffff998637c4ebb0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8012ba41180 rsp=fffffc0c7c6615e8 rbp=00f300800b000000
r8=fffffc0c7c661800 r9=0000000000000000 r10=0000fffff8012ba4
r11=ffffba792ec00000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
wfplwfs!L2GetValueFromClassifyContext+0xd0:
fffff801`2ba41180 833900 cmp dword ptr [rcx],0 ds:ffff998a`42426d24=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff801273d4f69 to fffff801273c32a0
STACK_TEXT:
fffffc0c`7c661308 fffff801`273d4f69 : 00000000`0000000a ffff998a`42426d24 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffffc0c`7c661310 fffff801`273d12a5 : 00000000`00000001 ffff9986`30181580 ffff3905`a07f370b 00000000`00000001 : nt!KiBugCheckDispatch+0x69
fffffc0c`7c661450 fffff801`2ba41180 : fffff801`2b9c1568 ffff9986`37b40fd8 00000000`00000000 00000000`00000003 : nt!KiPageFault+0x465
fffffc0c`7c6615e8 fffff801`2b9c1568 : ffff9986`37b40fd8 00000000`00000000 00000000`00000003 fffffc0c`7c661690 : wfplwfs!L2GetValueFromClassifyContext+0xd0
fffffc0c`7c6615f0 fffff801`23e430e9 : fffffc0c`00000003 fffffc0c`7c661690 ffff9986`37b40030 fffff801`2b50c33a : fwpkclnt!FwpiGetValueFromClassifyContext+0x38
fffffc0c`7c661640 fffff801`2b617c77 : fffffc0c`7c661850 00000000`00000002 ffff9986`00000004 fffff801`2b51cec6 : Ndu!NduOutboundMacClassify+0x109
fffffc0c`7c6616c0 fffff801`2ba4176c : ffffca81`8f959140 ffff9986`37c65680 00000000`00000000 00000000`158d4800 : NETIO!KfdClassify2+0x197
fffffc0c`7c661790 fffff801`2b4854a8 : ffff9986`34960850 00000000`00000001 00000000`00000000 33333333`33333333 : wfplwfs!LwfLowerSendNetBufferLists+0x12c
fffffc0c`7c6618d0 fffff801`2b4bc12a : 00000000`00000000 fffffc0c`7c661999 ffff9986`37c4dbf0 ffff9986`37c65780 : ndis!ndisCallSendHandler+0x58
fffffc0c`7c661920 fffff801`2b484b05 : 00000000`00000001 00000000`158d4800 ffff9986`37c50bb0 ffff9986`34d93a00 : ndis!ndisInvokeNextSendHandler+0x1de7a
fffffc0c`7c6619f0 fffff801`2b48601a : ffff9986`3a5a5070 ffff9986`37b3b010 ffff9986`37c50bb0 fffff801`3449081b : ndis!ndisFilterSendNetBufferLists+0xd5
fffffc0c`7c661a30 fffff801`34495269 : 00000000`00080000 ffff9986`37b3b010 ffff9986`158d4800 00000000`00000001 : ndis!NdisFSendNetBufferLists+0x5a
fffffc0c`7c661ae0 fffff801`34487af3 : ffff9986`372f3e90 00000000`00080000 ffff9986`37b3b010 fffff801`27916149 : inspect+0x15269
fffffc0c`7c661b10 fffff801`34487fb3 : ffff9986`372f3e90 ffff9986`34d93a40 ffff9986`37b3b010 ffff9986`379cb050 : inspect+0x7af3
fffffc0c`7c661b40 fffff801`34493cbf : ffff9986`34406010 ffff9986`34d93a40 ffff9986`37b3b010 fffff801`00000000 : inspect+0x7fb3
fffffc0c`7c661b70 fffff801`34494109 : ffff9986`349570e0 00000000`00000000 ffff9986`37b3b3a0 ffff9986`37b3b010 : inspect+0x13cbf
fffffc0c`7c661bc0 fffff801`27336075 : ffff9986`37c65680 00000000`00000080 fffff801`34494010 00002425`bd9bbfff : inspect+0x14109
fffffc0c`7c661c10 fffff801`273ca7ea : ffffca81`8f948180 ffff9986`37c65680 fffff801`27336020 00000000`00000000 : nt!PspSystemThreadStartup+0x55
fffffc0c`7c661c60 00000000`00000000 : fffffc0c`7c662000 fffffc0c`7c65c000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x2a
THREAD_SHA1_HASH_MOD_FUNC: ee80585109ff063c05bd800c9f84d00c85baff94
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 28389a85533f0818cef6563390262ea139c9cb9e
THREAD_SHA1_HASH_MOD: db540fc6d3a905712a4af70351df3d9265d5ab82
FOLLOWUP_IP:
wfplwfs!L2GetValueFromClassifyContext+d0
fffff801`2ba41180 833900 cmp dword ptr [rcx],0
FAULT_INSTR_CODE: 75003983
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: wfplwfs!L2GetValueFromClassifyContext+d0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: wfplwfs
IMAGE_NAME: wfplwfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 51ee7251
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: d0
FAILURE_BUCKET_ID: AV_wfplwfs!L2GetValueFromClassifyContext
BUCKET_ID: AV_wfplwfs!L2GetValueFromClassifyContext
PRIMARY_PROBLEM_CLASS: AV_wfplwfs!L2GetValueFromClassifyContext
TARGET_TIME: 2019-04-17T21:37:14.000Z
OSBUILD: 18875
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 1970-01-14 12:24:16
BUILDDATESTAMP_STR: 190405-1518
BUILDLAB_STR: rs_prerelease
BUILDOSVER_STR: 10.0.18875.1000.amd64fre.rs_prerelease.190405-1518
ANALYSIS_SESSION_ELAPSED_TIME: 2ad5
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_wfplwfs!l2getvaluefromclassifycontext
FAILURE_ID_HASH: {4f34dcc7-63d7-f181-d87e-bc62cd01b7eb}
Followup: MachineOwner
---------
The Comodo internet security firewall is to blame:
Code:
2: kd> lmvm inspect
Browse full module list
start end module name
fffff801`34480000 fffff801`344a0000 inspect (no symbols)
Loaded symbol image file: inspect.sys
Image path: \SystemRoot\system32\DRIVERS\inspect.sys
Image name: inspect.sys
Browse all global symbols functions data
Timestamp: Fri Mar 15 06:31:55 2019 (5C8BB75B)
CheckSum: 000228C6
ImageSize: 00020000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
Uninstall it