BSOD (Surface Pro 3) - DMPs included

Hello,

I work for a school district and we are having many Surface Pro 3 devices (as well as some other devices with different hardware) get a BSOD.  All of these BSODs seem to be happening due to the same file (NETIO.SYS).  That being said, I am including a link to my OneDrive folder that has the dump files from a computer that has done this as recently as today.   I named the most recent file "Latest Dump.dmp".  Can any of you please help us out in troubleshooting what is going on here?

Our network environment is all Cisco and we do not have FlexConnect turned on.  

Link to the Dump files: http://1drv.ms/1AwAK9Q

-----------------------------

Loading Dump File [C:\052615-6593-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is: 
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 8 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17736.amd64fre.winblue_r9.150322-1500
Machine Name:
Kernel base = 0xfffff802`1e878000 PsLoadedModuleList = 0xfffff802`1eb51850
Debug session time: Tue May 26 10:05:27.760 2015 (UTC - 7:00)
System Uptime: 0 days 0:02:34.962
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
...........................................
Loading User Symbols
Loading unloaded module list
............

************* Symbol Loading Error Summary **************
Module name            Error
ntoskrnl               The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*** WARNING: Unable to verify timestamp for NETIO.SYS
*** ERROR: Module load completed but symbols could not be loaded for NETIO.SYS



  • Edited by joshMUSD 10 hours 16 minutes ago
May 26th, 2015 5:10pm

Josh

I can tell you what it is related to but can find no reference to the file in Google.  It is related to NSWebFilterDriver.sys but since it appears to be surface specific I cant tell you what to do about it.  The 5 most current crashes were all caused by the above

Microsoft (R) Windows Debugger Version 10.0.10075.9 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\zigza\Desktop\052615-6468-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*D:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*D:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17736.amd64fre.winblue_r9.150322-1500
Machine Name:
Kernel base = 0xfffff801`ba483000 PsLoadedModuleList = 0xfffff801`ba75c850
Debug session time: Tue May 26 15:03:00.892 2015 (UTC - 4:00)
System Uptime: 0 days 1:00:26.050
Loading Kernel Symbols
...............................................................
................................................................
.........................................
Loading User Symbols
Loading unloaded module list
..................
No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {ffffffffc0000005, fffff801d7c52cc0, ffffd000218fe788, ffffd000218fdf90}

*** WARNING: Unable to verify timestamp for NSWebFilterDriver.sys
*** ERROR: Module load completed but symbols could not be loaded for NSWebFilterDriver.sys
Probably caused by : NETIO.SYS ( NETIO!StreamDatapTruncateAfterOffset+0 )

Followup:     MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff801d7c52cc0, The address that the exception occurred at
Arg3: ffffd000218fe788, Exception Record Address
Arg4: ffffd000218fdf90, Context Record Address

Debugging Details:
------------------


SYSTEM_SKU:  Surface_Pro_3

SYSTEM_VERSION:  1

BIOS_DATE:  03/16/2015

BASEBOARD_PRODUCT:  Surface Pro 3

BASEBOARD_VERSION:  1

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff801d7c52cc0

BUGCHECK_P3: ffffd000218fe788

BUGCHECK_P4: ffffd000218fdf90

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

FAULTING_IP: 
NETIO!StreamDatapTruncateAfterOffset+0
fffff801`d7c52cc0 4c8b4108        mov     r8,qword ptr [rcx+8]

EXCEPTION_RECORD:  ffffd000218fe788 -- (.exr 0xffffd000218fe788)
ExceptionAddress: fffff801d7c52cc0 (NETIO!StreamDatapTruncateAfterOffset)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008

CONTEXT:  ffffd000218fdf90 -- (.cxr 0xffffd000218fdf90)
rax=ffffd000218fea00 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000564 rsi=fffff801d8117360 rdi=0000000000000000
rip=fffff801d7c52cc0 rsp=ffffd000218fe9c8 rbp=ffffe000b10fcef0
 r8=0000000000000ac8  r9=ffffd000218fea08 r10=0000000000000000
r11=0000000000000564 r12=ffffd000218feb08 r13=ffffe000af59a2b0
r14=0000000000000000 r15=ffffe000b3498a60
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
NETIO!StreamDatapTruncateAfterOffset:
fffff801`d7c52cc0 4c8b4108        mov     r8,qword ptr [rcx+8] ds:002b:00000000`00000008=????????????????
Resetting default scope

CPU_COUNT: 4

CPU_MHZ: 9be

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 45

CPU_STEPPING: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  System

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000008

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff801ba7e6138
GetUlongPtrFromAddress: unable to read from fffff801ba7e6298
GetUlongPtrFromAddress: unable to read from fffff801ba7e6520
 0000000000000008 

FOLLOWUP_IP: 
NETIO!StreamDatapTruncateAfterOffset+0
fffff801`d7c52cc0 4c8b4108        mov     r8,qword ptr [rcx+8]

BUGCHECK_STR:  AV

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

ANALYSIS_VERSION: 10.0.10075.9 amd64fre

LAST_CONTROL_TRANSFER:  from fffff801d7c4caf6 to fffff801d7c52cc0

STACK_TEXT:  
ffffd000`218fe9c8 fffff801`d7c4caf6 : 00000000`00000000 00000000`00000000 ffffe000`b0ffe780 fffff801`d811713c : NETIO!StreamDatapTruncateAfterOffset
ffffd000`218fe9d0 fffff801`d8117298 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : NETIO!FwppTruncateStreamDataAfterOffset+0x46
ffffd000`218fea30 fffff801`d8454ad8 : 00000000`00000000 ffffe000`b0fb2640 ffffe000`b0ffe780 ffffe000`b1d1a440 : fwpkclnt!FwpsCloneStreamData0+0x108
ffffd000`218feaa0 00000000`00000000 : ffffe000`b0fb2640 ffffe000`b0ffe780 ffffe000`b1d1a440 ffffd000`218feb08 : NSWebFilterDriver+0x1ad8


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  NETIO!StreamDatapTruncateAfterOffset+0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  546029c5

IMAGE_VERSION:  6.3.9600.17485

STACK_COMMAND:  .cxr 0xffffd000218fdf90 ; kb

BUCKET_ID_FUNC_OFFSET:  0

FAILURE_BUCKET_ID:  AV_NETIO!StreamDatapTruncateAfterOffset

BUCKET_ID:  AV_NETIO!StreamDatapTruncateAfterOffset

PRIMARY_PROBLEM_CLASS:  AV_NETIO!StreamDatapTruncateAfterOffset

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_netio!streamdataptruncateafteroffset

FAILURE_ID_HASH:  {910bcc28-e598-dec8-d33b-e5cabf5f5dd8}

Followup:     MachineOwner
---------

0: kd> .exr 0xffffd000218fe788
ExceptionAddress: fffff801d7c52cc0 (NETIO!StreamDatapTruncateAfterOffset)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008

Free Windows Admin Tool Kit Click here and download it now
May 26th, 2015 5:56pm

Hi joshMUSD,

Based on the analysis of ZigZag3143x, I found that nswebfilterdriver.sys belongs to product NetSupport Web Filter Driver and was developed by company Netsupport.
Are you using any products of Netsupport?

Here is a link for reference:
What is the "nswebfilterdriver.sys"?
http://systemexplorer.net/file-database/file/nswebfilterdriver-sys/26512642

NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.

Best r

May 26th, 2015 11:27pm

MX

+1 Thanks

Free Windows Admin Tool Kit Click here and download it now
May 26th, 2015 11:31pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics