Windows 7 Pro 64-bit - BSOD on ndis.sys
Running fine since October then started getting BSOD at boot-up with the following error. No new hardware or software
installed. PC came up and ran once since 6/19 but now consistently blue screens. Re-installed the NIC driver while in safe mode with no luck. Any help would be appreciated. Thanks...
Problem signature:
Problem Event Name:
BlueScreen
OS Version:
6.1.7600.2.0.0.256.48
Locale ID:
1033
Additional information about the problem:
BCCode:
d1
BCP1:
00000000081BAF2E
BCP2:
0000000000000002
BCP3:
0000000000000000
BCP4:
FFFFF880016B0161
OS Version:
6_1_7600
Service Pack:
0_0
Product:
256_1
Files that help describe the problem:
C:\Windows\Minidump\062110-26317-01.dmp
C:\Users\Les\AppData\Local\Temp\WER-49280-0.sysdata.xml
June 22nd, 2010 2:15pm
Can you zip up the minidump files in the C:\Windows\Minidump folder and make available (provide link) via Windows Live SkyDrive or similar site?
The following link has information on using Windows Live SkyDrive:
http://social.technet.microsoft.com/Forums/en-US/w7itproui/thread/4fc10639-02db-4665-993a-08d865088d65
If you have problems zipping the minidump files copy the minidump files to another location such as a folder on the Desktop.
Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2010 3:17pm
Sorry for the delay. Skydrive was blocked at work... Link is:
http://cid-8a8f8339a70e1847.office.live.com/self.aspx/.Documents/BSOD%5E_NDIS/minidump%5E_BSOD%5E_NDIS-SYS.zip
Appreciate any help you can offer. Thanks...
June 23rd, 2010 1:57am
Here's the result of the Bugcheck Analysis using WinDbg of the Debugging Tools for Windows - both minidumps had the same result:
.....
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {816aa6e, 2, 0, fffff8800160f161}
Unable to load image \SystemRoot\system32\DRIVERS\mfenlfk.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for mfenlfk.sys
*** ERROR: Module load completed but symbols could not be loaded for
mfenlfk.sys
Probably caused by : pacer.sys ( pacer!PcFilterSendNetBufferLists+29 )
Followup: MachineOwner
---------
4: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000816aa6e, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8800160f161, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800035030e0
000000000816aa6e
CURRENT_IRQL: 2
FAULTING_IP:
ndis!memcpy+1d1
fffff880`0160f161 668b040a mov ax,word ptr [rdx+rcx]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
TRAP_FRAME: fffff88007704c70 -- (.trap 0xfffff88007704c70)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000816aa60 rbx=0000000000000000 rcx=fffffa80081cbc5c
rdx=0000057ffff9ee12 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8800160f161 rsp=fffff88007704e08 rbp=fffffa800722b480
r8=0000000000000010 r9=0000000000000000 r10=fffffa80063e6600
r11=fffffa80081cbc4e r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
ndis!memcpy+0x1d1:
fffff880`0160f161 668b040a mov ax,word ptr [rdx+rcx] ds:007e:00000000`0816aa6e=????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800032cab69 to fffff800032cb600
STACK_TEXT:
fffff880`07704b28 fffff800`032cab69 : 00000000`0000000a 00000000`0816aa6e 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`07704b30 fffff800`032c97e0 : 00000000`00000000 00000000`00000010 fffff880`00000000 00000000`0000006d : nt!KiBugCheckDispatch+0x69
fffff880`07704c70 fffff880`0160f161 : fffff880`016ce333 00000000`00000040 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x260
fffff880`07704e08 fffff880`016ce333 : 00000000`00000040 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!memcpy+0x1d1
fffff880`07704e10 fffff880`0165236c : fffffa80`0722c360 00000000`0000ff02 fffffa80`0722c360 00000000`00000000 : ndis!ndisDoLoopbackNetBufferList+0x213
fffff880`07704e80 fffff880`016caecb : fffffa80`06ba41a0 fffffa80`0722c360 fffff880`00000000 fffff880`00000003 : ndis!ndisMLoopbackNetBufferLists+0xec
fffff880`07704f00 fffff880`0160daf4 : 00000000`00000000 fffffa80`07022010 fffffa80`0701d500 00000000`00000000 : ndis! ?? ::FJGMBFAB::`string'+0x645
fffff880`07704f60 fffff880`03f84199 : fffffa80`0731e680 fffffa80`070209b0 00000000`00000000 fffffa80`08b22520 : ndis!NdisFSendNetBufferLists+0x64
fffff880`07704fa0 fffff880`0160daf4 : fffff880`07705120 fffff880`03faca0e fffffa80`08b22520 fffff880`07705120 : pacer!PcFilterSendNetBufferLists+0x29
fffff880`077050a0 fffff880`03fa9efd : 00000000`00000000 00000000`00000001 fffff880`07705168 fffffa80`0722c360 : ndis!NdisFSendNetBufferLists+0x64
fffff880`077050e0 00000000`00000000 : 00000000`00000001 fffff880`07705168 fffffa80`0722c360 00000000`00000001 :
mfenlfk+0xefd
STACK_COMMAND: kb
FOLLOWUP_IP:
pacer!PcFilterSendNetBufferLists+29
fffff880`03f84199 4881c4e0000000 add rsp,0E0h
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: pacer!PcFilterSendNetBufferLists+29
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: pacer
IMAGE_NAME: pacer.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bccc5
FAILURE_BUCKET_ID: X64_0xD1_pacer!PcFilterSendNetBufferLists+29
BUCKET_ID: X64_0xD1_pacer!PcFilterSendNetBufferLists+29
Followup: MachineOwner
---------
Although the pacer.sys took the blame for the crash the mfenlfk.sys (see bolded) was on the stack accessing and possibly corrupting memory ahead of the ndis.sys and pacer.sys.
Since the mfenlfk.sys is a McAfee driver I would suggest to uninstall McAfee and see if the BSODs resolve.
Afterward you could reinstall McAfee using the latest version available.
What is interesting is that a similar error to what you are experiencing is reported in the following link:
http://www.sevenforums.com/crashes-debugging/87907-bsod-after-login-when-cold-minidump-included.html
The lpx6.sys is implicated in that crash, and since you also have that driver installed, you could also consider uninstalling the Ximeta software either before or after McAfee and see if that makes a difference.
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2010 3:51am
Thanks fpr the info. I'll give your suggestions a try and let you know the results...
Problem was Ximeta. As soon as the NAS was found, Windows blue-screened. Un-installed NDAS and all is well. Thanks for the help.
June 23rd, 2010 5:03am