One or 2 BSODS a day. Please help!!! possible culprits NETIO.SYS/ndis.sys
Hi
My torrenting is causing BSODs daily. Here's the latest dump file info.
Microsoft (R) Windows Debugger Version 6.2.8400.4218 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\070912-41933-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17835.amd64fre.win7sp1_gdr.120503-2030
Machine Name:
Kernel base = 0xfffff800`03c57000 PsLoadedModuleList = 0xfffff800`03e9b670
Debug session time: Mon Jul 9 07:56:05.158 2012 (UTC - 4:00)
System Uptime: 0 days 6:24:54.313
Loading Kernel Symbols
...............................................................
................................................................
...................................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {28, 2, 0, fffff88001737b2d}
*** WARNING: Unable to verify timestamp for ndis.sys
*** ERROR: Module load completed but symbols could not be loaded for ndis.sys
Probably caused by : NETIO.SYS ( NETIO!RtlCopyBufferToMdl+1d )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000028, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88001737b2d, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003f05100
GetUlongFromAddress: unable to read from fffff80003f051c0
0000000000000028 Nonpaged pool
CURRENT_IRQL: 2
FAULTING_IP:
NETIO!RtlCopyBufferToMdl+1d
fffff880`01737b2d 448b5228 mov r10d,dword ptr [rdx+28h]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
TRAP_FRAME: fffff880033b5660 -- (.trap 0xfffff880033b5660)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff880033b5880 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88001737b2d rsp=fffff880033b57f0 rbp=fffff880033b5920
r8=00000000ffffffbc r9=0000000000000044 r10=0000000000000000
r11=fffffa8012cb7740 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
NETIO!RtlCopyBufferToMdl+0x1d:
fffff880`01737b2d 448b5228 mov r10d,dword ptr [rdx+28h] ds:00000000`00000028=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80003cd5769 to fffff80003cd61c0
STACK_TEXT:
fffff880`033b5518 fffff800`03cd5769 : 00000000`0000000a 00000000`00000028 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`033b5520 fffff800`03cd43e0 : fffffa80`0cddcb20 fffff880`01899b02 00000000`00000001 00000000`00000044 : nt!KiBugCheckDispatch+0x69
fffff880`033b5660 fffff880`01737b2d : fffffa80`141f2510 00000000`00000060 00000000`0000000e fffffa80`0cddccc8 : nt!KiPageFault+0x260
fffff880`033b57f0 fffff880`018d90cc : 00000000`00000000 fffff880`018a76b6 00000000`00000001 fffff880`02ccc00f : NETIO!RtlCopyBufferToMdl+0x1d
fffff880`033b5850 fffff880`018a4ca3 : fffffa80`12cb7740 00000000`00000001 fffffa80`141f2510 00000000`00000000 : tcpip! ?? ::FNODOBFM::`string'+0x1d1ef
fffff880`033b58c0 fffff880`01897a84 : fffff880`033b5d78 fffffa80`00000029 fffffa80`141f2510 00000000`00000001 : tcpip!TcpTcbCarefulDatagram+0x543
fffff880`033b5a70 fffff880`018963aa : fffffa80`0dc73bd0 fffff880`0188f294 fffffa80`0dc50c40 00000000`00000000 : tcpip!TcpTcbReceive+0x694
fffff880`033b5c20 fffff880`01897fdb : fffff880`0748108e fffffa80`0ddab000 00000000`00000000 fffff880`033b5f00 : tcpip!TcpMatchReceive+0x1fa
fffff880`033b5d70 fffff880`0188f927 : fffffa80`0dc73bd0 fffffa80`0dc71bcb fffffa80`000064b2 00000000`000064b2 : tcpip!TcpPreValidatedReceive+0x36b
fffff880`033b5e40 fffff880`0188f49a : 00000000`00000000 fffff880`019a3800 fffff880`033b6000 00001f80`005d0078 : tcpip!IppDeliverListToProtocol+0x97
fffff880`033b5f00 fffff880`0188ea99 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff880`033b5ff0 : tcpip!IppProcessDeliverList+0x5a
fffff880`033b5fa0 fffff880`0188c7ff : 00000000`00000000 00000000`0f58c000 fffff880`019a3800 fffff880`019a3800 : tcpip!IppReceiveHeaderBatch+0x23a
fffff880`033b6080 fffff880`0188bdf2 : fffffa80`0f203220 00000000`00000000 fffffa80`0f58c000 00000000`00000001 : tcpip!IpFlcReceivePackets+0x64f
fffff880`033b6280 fffff880`019042ea : fffffa80`118a5620 fffffa80`111786b0 fffffa80`0f58c010 fffffa80`0dc80d18 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x2b2
fffff880`033b6360 fffff800`03ce1e48 : fffff880`033b6370 00000001`00000001 fffffa80`0ce3b040 00000000`00000001 : tcpip! ?? ::FNODOBFM::`string'+0x52f02
fffff880`033b63b0 fffff880`0188b952 : fffff880`0188b1b0 fffffa80`115e4a30 fffff880`033b6500 00000000`00000001 : nt!KeExpandKernelStackAndCalloutEx+0xd8
fffff880`033b6490 fffff880`016f20eb : fffffa80`0f58c7c0 00000000`00000000 fffffa80`0ee921a0 fffffa80`114541f2 : tcpip!FlReceiveNetBufferListChain+0xb2
fffff880`033b6500 fffffa80`0f58c7c0 : 00000000`00000000 fffffa80`0ee921a0 fffffa80`114541f2 fffffa80`00000100 : ndis+0xbf0eb
fffff880`033b6508 00000000`00000000 : fffffa80`0ee921a0 fffffa80`114541f2 fffffa80`00000100 00000000`00000001 : 0xfffffa80`0f58c7c0
STACK_COMMAND: kb
FOLLOWUP_IP:
NETIO!RtlCopyBufferToMdl+1d
fffff880`01737b2d 448b5228 mov r10d,dword ptr [rdx+28h]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: NETIO!RtlCopyBufferToMdl+1d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: NETIO
IMAGE_NAME: NETIO.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce79381
FAILURE_BUCKET_ID: X64_0xD1_NETIO!RtlCopyBufferToMdl+1d
BUCKET_ID: X64_0xD1_NETIO!RtlCopyBufferToMdl+1d
Followup: MachineOwner
---------
And heres the link for the dump files.
https://skydrive.live.com/redir?resid=EBEAB13E9C29DDAC!118
Thanks.
Masood.
July 9th, 2012 9:31am
Also, I have checked the network drivers from Device Manager and they are up to date. Do you need the small dumps or the kernel dumps?
Thanks.
Masood.
Free Windows Admin Tool Kit Click here and download it now
July 9th, 2012 11:03am
Thanks. I have uninstalled Mcafee AV and installed microsoft essentials.
Buddy, whats ZoneAlarm?
I dont think I have it...checked in msconfig.exe and there is nothing named
ZoneAlarm.
And I dont have any Symantec product, so do i still need to disable
NetBIOS over TCP/IP?
Thanks.
Masood.
July 9th, 2012 11:34am
Please post a copy of your dumpfile as a shared file to your Sky Drive with a link here.
http://social.technet.microsoft.com/Forums/en-US/w7itproui/thread/4fc10639-02db-4665-993a-08d865088d65
For advice on how to configure your system to create dump files please read:
http://support.microsoft.com/kb/254649
The dumpfile will be created at c:\windows\minidump. You may need to change your settings in Windows to be able to see the file. To show hidden files type Folder Options in the
search box above the Start button and select View, Advanced Settings and verify that the box before "Show hidden files and folders" is checked and "Hide protected operating system files" is unchecked. You may need to scroll down to see the second item. You
should also make certain that the box before "Hide extensions for known file types" is not checked.
What is your computer make and model? If not a branded computer what is your motherboard make and model?
Type System information in the Search Box above the start Button and press the ENTER key. What is your BIOS version and date?
Is your Windows 7 32 bit or 64 bit?Hope this helps, Gerry
Free Windows Admin Tool Kit Click here and download it now
July 9th, 2012 2:34pm
Yes. I have uploaded the dumps in the folder "BSOD dumps" and made it public <https://skydrive.live.com/redir?resid=EBEAB13E9C29DDAC!123>
I have the latest BIOS v. 1208 and date 05.25.2012. Windows 7 x64 Pro.
Asus M5A99X EVO mobo <http://www.asus.com/Motherboards/AMD_AM3Plus/M5A99X_EVO/#>
OS Name Microsoft Windows 7 Professional
Version 6.1.7601 Service Pack 1 Build 7601
Other OS Description Not Available
OS Manufacturer Microsoft Corporation
System Name MASOOD-PRO-PC
System Manufacturer To be filled by O.E.M.
System Model To be filled by O.E.M.
System Type x64-based PC
Processor AMD Phenom(tm) II X4 945 Processor, 3000 Mhz, 4 Core(s), 4 Logical Processor(s)
BIOS Version/Date American Megatrends Inc. 1208, 4/18/2012
SMBIOS Version 2.7
Windows Directory C:\Windows
System Directory C:\Windows\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "6.1.7601.17514"
User Name Not Available
Time Zone Eastern Daylight Time
Installed Physical Memory (RAM) 16.0 GB
Total Physical Memory 16.0 GB
Available Physical Memory 12.6 GB
Total Virtual Memory 31.9 GB
Available Virtual Memory 28.6 GB
Page File Space 16.0 GB
Page File C:\pagefile.sys
Thanks.
Masood.
July 9th, 2012 3:25pm
Masood
Update
Realtek RTL8111E LAN Driver to version 7.48.823.2011 for Windows 7 32bit & 64bit dated 5 January 2012
Asmedia USB3.0 Controller Driver to version 1.14.1.0 for Windows XP/Vista/7 32bit & 64bit dated 13 October 2011
AMD AHCI Driver to version 1.2.1.292 for Windows Vista/7 32bit & 64bit dated 13 February 2012
http://www.asus.com/Motherboards/AMD_AM3Plus/M5A99X_EVO/#downloadHope this helps, Gerry
Free Windows Admin Tool Kit Click here and download it now
July 9th, 2012 6:59pm
Hi,
It's more related to BIOS, you'd better update to the latest verison.
Here are some discussions can be referred to.
Windows 7 ndis.sys blue screen error
http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/99a0f44e-0320-4dde-aa70-afebe3e7613d
Bluescreen ndis.sys windows 7
http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/bluescreen-ndissys-windows-7/05785887-52c1-4a98-b280-24b6413d323eIvan-Liu
TechNet Community Support
July 9th, 2012 10:47pm
I updated the BIOS and the other drivers since the first bsod. I think the Mcafee "snake oil" was causing the crashes. since mcafee's removal, i have put the wireless card under heavy test which lasted around four hours without a crash while torrenting simultaneously.
i will download 72 gb tonight which should last 10+ hours.
netio.sys is a network file, whats ndis.sys for?
Thanks guys.
Masood.
Free Windows Admin Tool Kit Click here and download it now
July 10th, 2012 9:18am
Network Driver Interface Specification (NDIS)
You should not assume that the ndis. sys is the cause of the system system failure. It rarely is. You have to debug the stack headed by ndis.sys to determine which driver is causing ndis.sys to fault. That is not an easy task.Hope this helps, Gerry
July 10th, 2012 3:17pm
ndis.sys doesnt appear in the blue screen before restart. netio.sys does, but when i open the dump in windbg, i see ndis.sys error like this:
"*** ERROR: Module load completed but symbols could not be loaded for ndis.sys."
anyway, my download test is running for seven hours now and no sight of bsod. i will keep it running for till tonight, just to make sure. when i had mcafee trash it would see a crash within 60 minutes of downloading.
did u find some other file as the cause and not netio? i was leaning towards netio because it showed netio in the blue screen.
thanks.
masood
Free Windows Admin Tool Kit Click here and download it now
July 10th, 2012 3:42pm
The error you received was most likely related to McAfee as the mfenlfk.sys was also involved in the crash:
BugCheck D1, {28, 2, 0, fffff880015aeb2d}
*** WARNING: Unable to verify timestamp for mfenlfk.sys
*** ERROR: Module load completed but symbols could not be loaded for
mfenlfk.sys
Probably caused by : NETIO.SYS ( NETIO!RtlCopyBufferToMdl+1d )
Consider replacing McAfee with alternative security software such as Microsoft Security Essentials.
If you decide to try reinstalling McAfee I would suggest to install the following hotfix for the Operating System beforehand:
http://support.microsoft.com/kb/2664888
July 10th, 2012 5:17pm
Thanks auggy. But in the dumps why does it show netio and not mfenlfk.sys? anyway I have installed Essentials thrown mcafee in trash. So far no BSODs, since I removed that crap.
Masood.
Free Windows Admin Tool Kit Click here and download it now
July 11th, 2012 8:56am
You have to debug the stack headed by netios.sys to determine which driver is causing netio.sys to fault. That is not an easy task. That is why people like Auggy are so helpful because they possess the debugging skills.Hope this helps, Gerry
July 11th, 2012 3:21pm