Hi Tyson,
I have analyzed the five dumps you provided:
1) 072715-32078-01.dmp
This dump is caused by nt!VerifierBugCheckIfAppropriate+0x3c code from
process svchost.exe, and it seems to be that you switched on Verifier
function for your system. I think there's no relationship with Npcap.
2) 072715-31968-01.dmp and 072715-32468-01.dmp
this dump provides BSoD about SYSTEM_SERVICE_EXCEPTION. It is caused
by ndis!NdisFOidRequest+62 code from process dumpcap.exe. As Npcap uses
NdisFOidRequest calls, I think it's possibly a bug. I'd like to know how
you used dumpcap.exe, like parameters?
3) 072715-33859-01.dmp and 072715-48062-01.dmp
It is caused by Asset-uPNP.exe, from Asset audio server software provided
by illustrate. I think maybe you would like to disable or uninstall it
first, to see if the fault still happens. WinDbg also reports
that OVERLAPPED_MODULE: Address regions for 'nwifi' and 'appexDrv.sys'
overlap. 'appexDrv.sys''s description is " "AppEx Accelerator LWF/WFP
Driver L.E."". nwifi.sys seems to be a Microsoft built-in component,
and AppEx Networks Accelerator seems to be a VPN software, unfortunately, I
didn't find a download link. But this is maybe not the main cause, whatever
you can try to shutdown it to see if there's any change.
072715-48062-01.dmp's report is pasted here:
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C2, {7, 1200, 0, ffffe0008d01cbf8}
fffff80059152240: Unable to get special pool info
fffff80059152240: Unable to get special pool info
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
Probably caused by : NETIO.SYS (
NETIO!NetioCompleteCloneNetBufferListChain+1508d )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a
bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 0000000000001200, (reserved)
Arg3: 0000000000000000, Memory contents of the pool block
Arg4: ffffe0008d01cbf8, Address of the block of pool being deallocated
Debugging Details:
------------------
OVERLAPPED_MODULE: Address regions for 'nwifi' and 'appexDrv.sys' overlap
POOL_ADDRESS: ffffe0008d01cbf8
FREED_POOL_TAG: NDnd
BUGCHECK_STR: 0xc2_7_NDnd
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: Asset-uPNP.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from fffff8005912fff2 to fffff80058fdbca0
STACK_TEXT:
ffffd000`27118f88 fffff800`5912fff2 : 00000000`000000c2 00000000`00000007
00000000`00001200 00000000`00000000 : nt!KeBugCheckEx
ffffd000`27118f90 fffff800`3763083d : 00000000`00000000 ffffe000`8d596040
000008fe`00000010 00000014`00000000 : nt!ExAllocatePoolWithTag+0x1102
ffffd000`27119080 fffff800`376023f1 : 00000000`00000000 ffffe000`8ceb3740
00000000`00000000 00000000`00000000 :
NETIO!NetioCompleteCloneNetBufferListChain+0x1508d
ffffd000`271190f0 00000000`00000000 : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 :
NETIO!NetioDereferenceNetBufferListChain+0x2d1
STACK_COMMAND: kb
FOLLOWUP_IP:
NETIO!NetioCompleteCloneNetBufferListChain+1508d
fffff800`3763083d 90 nop
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: NETIO!NetioCompleteCloneNetBufferListChain+1508d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: NETIO
IMAGE_NAME: NETIO.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 540ebbe6
FAILURE_BUCKET_ID:
X64_0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain+1508d
BUCKET_ID: X64_0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain+1508d
Followup: MachineOwner
---------
On Tue, Jul 28, 2015 at 3:12 PM, Tyson Key <[email protected]> wrote:
> I just uploaded my MiniDumps to
> https://dl.dropboxusercontent.com/u/670345/MiniDump.rar, if it makes
> debugging this easier.
>
> Tyson.
>
> 2015-07-28 8:08 GMT+01:00 Tyson Key <[email protected]>:
>
>> Hi Yang,
>>
>> Thanks for looking into this.
>>
>> I can't remember when/how I installed Win10PCap (guessing that I briefly
>> had a look, but couldn't get it to do anything on my machine, and just
>> removed it), but I'm using VMware Player 6.0.7 build-2844087 (haven't got
>> Workstation/Server installed); and I tried a dance of
>> upgrading/downgrading/upgrading my AR9485WB-EG WLAN driver (first by
>> downloading the package from
>> http://support.lenovo.com/us/en/downloads/ds032333, to take me from
>> 10.0.0.242, to 10.0.0.75; and then using Device Manager's driver update
>> function, to take me to 3.0.1.155 (which I'm guessing is probably older
>> than 242 - I'm just guessing from the sketchy build dates) - which gave me
>> a different type of BSoD, initially, after starting Wireshark, but let me
>> capture traffic for a little while, after rebooting.
>>
>> Here's all of the MiniDump summaries that I could find:
>>
>> ==================================================
>> Dump File : 072715-31968-01.dmp
>> Crash Time : 27/07/2015 07:02:32 pm
>> Bug Check String : SYSTEM_SERVICE_EXCEPTION
>> Bug Check Code : 0x0000003b
>> Parameter 1 : 00000000`c0000005
>> Parameter 2 : fffff801`1be5d485
>> Parameter 3 : ffffd000`2324e980
>> Parameter 4 : 00000000`00000000
>> Caused By Driver : ntoskrnl.exe
>> Caused By Address : ntoskrnl.exe+150ca0
>> File Description : NT Kernel & System
>> Product Name : Microsoft® Windows® Operating System
>> Company : Microsoft Corporation
>> File Version : 6.3.9600.17736 (winblue_r9.150322-1500)
>> Processor : x64
>> Crash Address : ntoskrnl.exe+150ca0
>> Stack Address 1 :
>> Stack Address 2 :
>> Stack Address 3 :
>> Computer Name :
>> Full Path : C:\WINDOWS\Minidump\072715-31968-01.dmp
>> Processors Count : 4
>> Major Version : 15
>> Minor Version : 9600
>> Dump File Size : 281,520
>> Dump File Time : 27/07/2015 07:03:33 pm
>> ==================================================
>>
>> ==================================================
>> Dump File : 072715-32078-01.dmp
>> Crash Time : 27/07/2015 06:47:01 pm
>> Bug Check String : BAD_POOL_CALLER
>> Bug Check Code : 0x000000c2
>> Parameter 1 : 00000000`00000099
>> Parameter 2 : ffffe000`7d4b31b8
>> Parameter 3 : 00000000`00000000
>> Parameter 4 : 00000000`00000000
>> Caused By Driver : tcpip.sys
>> Caused By Address : tcpip.sys+42856
>> File Description : TCP/IP Driver
>> Product Name : Microsoft® Windows® Operating System
>> Company : Microsoft Corporation
>> File Version : 6.3.9600.16384 (winblue_rtm.130821-1623)
>> Processor : x64
>> Crash Address : ntoskrnl.exe+150ca0
>> Stack Address 1 :
>> Stack Address 2 :
>> Stack Address 3 :
>> Computer Name :
>> Full Path : C:\WINDOWS\Minidump\072715-32078-01.dmp
>> Processors Count : 4
>> Major Version : 15
>> Minor Version : 9600
>> Dump File Size : 281,520
>> Dump File Time : 27/07/2015 06:48:04 pm
>> ==================================================
>>
>> ==================================================
>> Dump File : 072715-32468-01.dmp
>> Crash Time : 27/07/2015 06:34:37 pm
>> Bug Check String : SYSTEM_SERVICE_EXCEPTION
>> Bug Check Code : 0x0000003b
>> Parameter 1 : 00000000`c0000005
>> Parameter 2 : fffff801`962a446e
>> Parameter 3 : ffffd001`1bd0f980
>> Parameter 4 : 00000000`00000000
>> Caused By Driver : ndis.sys
>> Caused By Address : ndis.sys+546e
>> File Description : Network Driver Interface Specification (NDIS)
>> Product Name : Microsoft® Windows® Operating System
>> Company : Microsoft Corporation
>> File Version : 6.3.9600.16384 (winblue_rtm.130821-1623)
>> Processor : x64
>> Crash Address : ntoskrnl.exe+150ca0
>> Stack Address 1 :
>> Stack Address 2 :
>> Stack Address 3 :
>> Computer Name :
>> Full Path : C:\WINDOWS\Minidump\072715-32468-01.dmp
>> Processors Count : 4
>> Major Version : 15
>> Minor Version : 9600
>> Dump File Size : 281,520
>> Dump File Time : 27/07/2015 06:35:48 pm
>> ==================================================
>>
>> ==================================================
>> Dump File : 072715-33859-01.dmp
>> Crash Time : 27/07/2015 05:11:25 pm
>> Bug Check String : BAD_POOL_CALLER
>> Bug Check Code : 0x000000c2
>> Parameter 1 : 00000000`00000007
>> Parameter 2 : 00000000`00001200
>> Parameter 3 : 00000000`00000000
>> Parameter 4 : ffffe000`8d01cbf8
>> Caused By Driver : ntoskrnl.exe
>> Caused By Address : ntoskrnl.exe+150ca0
>> File Description : NT Kernel & System
>> Product Name : Microsoft® Windows® Operating System
>> Company : Microsoft Corporation
>> File Version : 6.3.9600.17736 (winblue_r9.150322-1500)
>> Processor : x64
>> Crash Address : ntoskrnl.exe+150ca0
>> Stack Address 1 :
>> Stack Address 2 :
>> Stack Address 3 :
>> Computer Name :
>> Full Path : C:\WINDOWS\Minidump\072715-33859-01.dmp
>> Processors Count : 4
>> Major Version : 15
>> Minor Version : 9600
>> Dump File Size : 281,520
>> Dump File Time : 27/07/2015 05:12:34 pm
>> ==================================================
>>
>> ==================================================
>> Dump File : 072715-48062-01.dmp
>> Crash Time : 27/07/2015 05:00:25 pm
>> Bug Check String : BAD_POOL_CALLER
>> Bug Check Code : 0x000000c2
>> Parameter 1 : 00000000`00000007
>> Parameter 2 : 00000000`00001200
>> Parameter 3 : 00000000`00000000
>> Parameter 4 : ffffe000`4bc1b4c8
>> Caused By Driver : ntoskrnl.exe
>> Caused By Address : ntoskrnl.exe+150ca0
>> File Description : NT Kernel & System
>> Product Name : Microsoft® Windows® Operating System
>> Company : Microsoft Corporation
>> File Version : 6.3.9600.17736 (winblue_r9.150322-1500)
>> Processor : x64
>> Crash Address : ntoskrnl.exe+150ca0
>> Stack Address 1 :
>> Stack Address 2 :
>> Stack Address 3 :
>> Computer Name :
>> Full Path : C:\WINDOWS\Minidump\072715-48062-01.dmp
>> Processors Count : 4
>> Major Version : 15
>> Minor Version : 9600
>> Dump File Size : 281,520
>> Dump File Time : 27/07/2015 05:01:58 pm
>> ==================================================
>>
>> Frustratingly, since there are so many variables involved (unscientific
>> method!), it seems like I'm playing a Jenga game with trying to make this
>> work, since if I remove, or change something, it works for a little while,
>> and then crashes in a creative, new way. (And I don't want to reinstall
>> everything, since I don't have a disk big enough to back everything up). :(
>>
>> I've uploaded a copy of the Nurago Web Meter to
>> https://dl.dropboxusercontent.com/u/670345/nurago%20web%20meter.exe, and
>> I seem to also have an older installer for it in my "Downloads" directory,
>> which may exercise the LSP architecture of WinSock differently.
>>
>> The SYSTEM_SERVICE_EXCEPTION error is interesting, as it is one of the
>> few that reveals a problem in WinSock/NDIS...
>>
>> I would try it in a virtual machine - but it wouldn't get us any closer
>> to diagnosing why it fails to work, with my not-so-unique configuration.
>>
>> Tyson.
>>
>> 2015-07-28 7:27 GMT+01:00 Yang Luo <[email protected]>:
>>
>>>
>>>
>>> On Mon, Jul 27, 2015 at 10:42 PM, Tyson Key <[email protected]> wrote:
>>>
>>>> After rebooting from uninstalling MS NetMon, I restarted Wireshark, and
>>>> got the usual "NPF service not running; no interfaces available" note. This
>>>> persists, even if I try "NPFInstall -r", and Wireshark still claims that no
>>>> interfaces are available.
>>>>
>>>>
>>> "*NPFInstall -r*" isn't used in Npcap. "*NPF service not running; no
>>> interfaces available*" is a common problem for Npcap previous versions.
>>> And I think it should disappear if you have uninstalled previous versions
>>> totally.
>>>
>>>
>>>> Eventually, after uninstalling NPCap, removing all of the loopback
>>>> interfaces, and running CCleaner to remove any residual registry data, and
>>>> then rebooting yet again, I could start Wireshark, and list the installed
>>>> interfaces - but unsurprisingly, a few moments later, I received another
>>>> BSoD.
>>>>
>>>> If it helps, my Wireshark version is:
>>>>
>>>> Version 1.99.8-492-g3f0f49d (v1.99.8rc0-492-g3f0f49d from master)
>>>>
>>>> Copyright 1998-2015 Gerald Combs <[email protected]> and
>>>> contributors.
>>>> License GPLv2+: GNU GPL version 2 or later <
>>>> http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
>>>> This is free software; see the source for copying conditions. There is
>>>> NO
>>>> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
>>>> PURPOSE.
>>>>
>>>> Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.12.16, with Pango
>>>> 1.36.8, with
>>>> WinPcap (unknown), with libz 1.2.8, with GLib 2.42.0, with SMI 0.4.8,
>>>> with
>>>> c-ares 1.9.1, with Lua 5.2, with GnuTLS 3.2.15, with Gcrypt 1.6.2, with
>>>> MIT
>>>> Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 22 2015), with
>>>> AirPcap.
>>>>
>>>> Running on 64-bit Windows 8.1, build 9600, with locale English_United
>>>> Kingdom.1252, with Npcap version 0.01 (packet.dll version 0.03), based
>>>> on
>>>> WinPcap version 4.1.3 (packet.dll version 4.1.0.3001), based on libpcap
>>>> version
>>>> 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15, with Gcrypt 1.6.2,
>>>> without
>>>> AirPcap.
>>>> AMD A6-5200 APU with Radeon(TM) HD Graphics (with SSE4.2), with
>>>> 5577MB of
>>>> physical memory.
>>>>
>>>>
>>>> Built using Microsoft Visual C++ 12.0 build 31101
>>>>
>>>> Wireshark is Open Source Software released under the GNU General Public
>>>> License.
>>>>
>>>> Check the man page and http://www.wireshark.org for more information.
>>>>
>>>
>>> I used Wireshark latest stable version: Version 1.12.6
>>> (v1.12.6-0-gee1fce6 from master-1.12). But I don't think it makes a
>>> difference by using stable version or development version, as its WinPcap
>>> related low-level code rarely changed between these two versions.
>>>
>>>
>>>>
>>>> Other than NetMon (which I've removed), the only other things that I
>>>> think could be causing a conflict are either the VMware host-only
>>>> networking filters; the networking components included with whatever
>>>> Bluetooth stack Lenovo shipped; the massive pile of hacks installed by the
>>>> Gacela component of "Nurago Web Meter", or my Atheros WLAN drivers (which
>>>> caused Acrylic Wi-Fi's NDIS filters to crash, when I briefly had that
>>>> installed, a while ago).
>>>>
>>>
>>> What version VMware are you using? Workstation or just Player? I used
>>> VMware Workstation 11.1.2 build-2780323 on my host, but I didn't install it
>>> on my test VM yet.
>>>
>>>
>>> Cheers,
>>> Yang
>>>
>>>
>>> ___________________________________________________________________________
>>> Sent via: Wireshark-dev mailing list <[email protected]>
>>> Archives: https://www.wireshark.org/lists/wireshark-dev
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>> mailto:[email protected]
>>> ?subject=unsubscribe
>>>
>>
>>
>>
>> --
>> Fight Internet Censorship!
>> http://www.eff.org
>> http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
>> 00447934365844
>>
>
>
>
> --
> Fight Internet Censorship!
> http://www.eff.org
> http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
> 00447934365844
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <[email protected]>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:[email protected]
> ?subject=unsubscribe
>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
