Aah, I had a look at "Programs, and Features", and it says that the AppEx thing is "AMD Quick Stream" 3.4.4.0, published by AppEx Networks, of Beijing (http://www.appexnetworks.com.cn/). I found a marketing document regarding it at http://support.amd.com/en-us/kb-articles/Pages/AMDQuickStreamTechnology.aspx .
Tyson. 2015-07-28 16:03 GMT+01:00 Tyson Key <tyson....@gmail.com>: > Hi Yang, > > Thanks for looking at these dumps. > > Yup, I think I enabled the verifier, a few months ago, whilst trying to > debug some other issue (probably related to the AppEx thing), and I forgot > that I kept it enabled. > > As for the dumpcap arguments, I just let Wireshark invoke it, through the > GUI - so the arguments are whatever it spits out by default, to set up > various pipes. I'd have to surgically remove NPCap, and replace it with > regular WinPCap, and then try to trace Wireshark Qt/GTK, to learn the > arguments (or see if "tasklist /V", or some other utility reveals them). > I'd expect that they'd look similar to the ones issued under Linux, modulo > device names, though. > > I'm kinda surprised that Asset is responsible for some of the crashes, to > be honest. Sure, it does funny things with multicasting, as a UPnP server > implementation, but it's usually pretty reliable, in general operation. > Might be worth me reporting a bug to Illustrate, when I get chance; and > I'll see what happens if I uninstall it, in the meantime. > > As for AppEx, I'm pretty sure that I removed its driver from all of my > interfaces, but I wouldn't be surprised if there's not something vestigial. > Going to see if I can fully cleanse it from my system, since it was an > OEM-supplied product, and not something that I opted to install. (And I've > had BSoDs from it before, whilst trying to diagnose some WLAN problems). I > think it's supposed to be some sort of "game/multimedia quality-of-service > optimisation" tool. > > Take care, > > Tyson. > > 2015-07-28 12:41 GMT+01:00 Yang Luo <hslu...@gmail.com>: > >> Hi Tyson, >> >> I have analyzed the five dumps you provided: >> >> 1) 072715-32078-01.dmp >> This dump is caused by nt!VerifierBugCheckIfAppropriate+0x3c code from >> process svchost.exe, and it seems to be that you switched on Verifier >> function for your system. I think there's no relationship with Npcap. >> >> 2) 072715-31968-01.dmp and 072715-32468-01.dmp >> this dump provides BSoD about SYSTEM_SERVICE_EXCEPTION. It is caused >> by ndis!NdisFOidRequest+62 code from process dumpcap.exe. As Npcap uses >> NdisFOidRequest calls, I think it's possibly a bug. I'd like to know how >> you used dumpcap.exe, like parameters? >> >> 3) 072715-33859-01.dmp and 072715-48062-01.dmp >> It is caused by Asset-uPNP.exe, from Asset audio server software provided >> by illustrate. I think maybe you would like to disable or uninstall it >> first, to see if the fault still happens. WinDbg also reports >> that OVERLAPPED_MODULE: Address regions for 'nwifi' and 'appexDrv.sys' >> overlap. 'appexDrv.sys''s description is " "AppEx Accelerator LWF/WFP >> Driver L.E."". nwifi.sys seems to be a Microsoft built-in component, >> and AppEx Networks Accelerator seems to be a VPN software, unfortunately, I >> didn't find a download link. But this is maybe not the main cause, whatever >> you can try to shutdown it to see if there's any change. >> >> 072715-48062-01.dmp's report is pasted here: >> >> >> ******************************************************************************* >> * >> * >> * Bugcheck Analysis >> * >> * >> * >> >> ******************************************************************************* >> >> Use !analyze -v to get detailed debugging information. >> >> BugCheck C2, {7, 1200, 0, ffffe0008d01cbf8} >> >> fffff80059152240: Unable to get special pool info >> fffff80059152240: Unable to get special pool info >> unable to get nt!MmPoolCodeStart >> unable to get nt!MmPoolCodeEnd >> Probably caused by : NETIO.SYS ( >> NETIO!NetioCompleteCloneNetBufferListChain+1508d ) >> >> Followup: MachineOwner >> --------- >> >> 0: kd> !analyze -v >> >> ******************************************************************************* >> * >> * >> * Bugcheck Analysis >> * >> * >> * >> >> ******************************************************************************* >> >> BAD_POOL_CALLER (c2) >> The current thread is making a bad pool request. Typically this is at a >> bad IRQL level or double freeing the same allocation, etc. >> Arguments: >> Arg1: 0000000000000007, Attempt to free pool which was already freed >> Arg2: 0000000000001200, (reserved) >> Arg3: 0000000000000000, Memory contents of the pool block >> Arg4: ffffe0008d01cbf8, Address of the block of pool being deallocated >> >> Debugging Details: >> ------------------ >> >> >> OVERLAPPED_MODULE: Address regions for 'nwifi' and 'appexDrv.sys' overlap >> >> POOL_ADDRESS: ffffe0008d01cbf8 >> >> FREED_POOL_TAG: NDnd >> >> BUGCHECK_STR: 0xc2_7_NDnd >> >> CUSTOMER_CRASH_COUNT: 1 >> >> DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT >> >> PROCESS_NAME: Asset-uPNP.exe >> >> CURRENT_IRQL: 2 >> >> LAST_CONTROL_TRANSFER: from fffff8005912fff2 to fffff80058fdbca0 >> >> STACK_TEXT: >> ffffd000`27118f88 fffff800`5912fff2 : 00000000`000000c2 00000000`00000007 >> 00000000`00001200 00000000`00000000 : nt!KeBugCheckEx >> ffffd000`27118f90 fffff800`3763083d : 00000000`00000000 ffffe000`8d596040 >> 000008fe`00000010 00000014`00000000 : nt!ExAllocatePoolWithTag+0x1102 >> ffffd000`27119080 fffff800`376023f1 : 00000000`00000000 ffffe000`8ceb3740 >> 00000000`00000000 00000000`00000000 : >> NETIO!NetioCompleteCloneNetBufferListChain+0x1508d >> ffffd000`271190f0 00000000`00000000 : 00000000`00000000 00000000`00000000 >> 00000000`00000000 00000000`00000000 : >> NETIO!NetioDereferenceNetBufferListChain+0x2d1 >> >> >> STACK_COMMAND: kb >> >> FOLLOWUP_IP: >> NETIO!NetioCompleteCloneNetBufferListChain+1508d >> fffff800`3763083d 90 nop >> >> SYMBOL_STACK_INDEX: 2 >> >> SYMBOL_NAME: NETIO!NetioCompleteCloneNetBufferListChain+1508d >> >> FOLLOWUP_NAME: MachineOwner >> >> MODULE_NAME: NETIO >> >> IMAGE_NAME: NETIO.SYS >> >> DEBUG_FLR_IMAGE_TIMESTAMP: 540ebbe6 >> >> FAILURE_BUCKET_ID: >> X64_0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain+1508d >> >> BUCKET_ID: >> X64_0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain+1508d >> >> Followup: MachineOwner >> --------- >> >> On Tue, Jul 28, 2015 at 3:12 PM, Tyson Key <tyson....@gmail.com> wrote: >> >>> I just uploaded my MiniDumps to >>> https://dl.dropboxusercontent.com/u/670345/MiniDump.rar, if it makes >>> debugging this easier. >>> >>> Tyson. >>> >>> 2015-07-28 8:08 GMT+01:00 Tyson Key <tyson....@gmail.com>: >>> >>>> Hi Yang, >>>> >>>> Thanks for looking into this. >>>> >>>> I can't remember when/how I installed Win10PCap (guessing that I >>>> briefly had a look, but couldn't get it to do anything on my machine, and >>>> just removed it), but I'm using VMware Player 6.0.7 build-2844087 (haven't >>>> got Workstation/Server installed); and I tried a dance of >>>> upgrading/downgrading/upgrading my AR9485WB-EG WLAN driver (first by >>>> downloading the package from >>>> http://support.lenovo.com/us/en/downloads/ds032333, to take me from >>>> 10.0.0.242, to 10.0.0.75; and then using Device Manager's driver update >>>> function, to take me to 3.0.1.155 (which I'm guessing is probably older >>>> than 242 - I'm just guessing from the sketchy build dates) - which gave me >>>> a different type of BSoD, initially, after starting Wireshark, but let me >>>> capture traffic for a little while, after rebooting. >>>> >>>> Here's all of the MiniDump summaries that I could find: >>>> >>>> ================================================== >>>> Dump File : 072715-31968-01.dmp >>>> Crash Time : 27/07/2015 07:02:32 pm >>>> Bug Check String : SYSTEM_SERVICE_EXCEPTION >>>> Bug Check Code : 0x0000003b >>>> Parameter 1 : 00000000`c0000005 >>>> Parameter 2 : fffff801`1be5d485 >>>> Parameter 3 : ffffd000`2324e980 >>>> Parameter 4 : 00000000`00000000 >>>> Caused By Driver : ntoskrnl.exe >>>> Caused By Address : ntoskrnl.exe+150ca0 >>>> File Description : NT Kernel & System >>>> Product Name : Microsoft® Windows® Operating System >>>> Company : Microsoft Corporation >>>> File Version : 6.3.9600.17736 (winblue_r9.150322-1500) >>>> Processor : x64 >>>> Crash Address : ntoskrnl.exe+150ca0 >>>> Stack Address 1 : >>>> Stack Address 2 : >>>> Stack Address 3 : >>>> Computer Name : >>>> Full Path : C:\WINDOWS\Minidump\072715-31968-01.dmp >>>> Processors Count : 4 >>>> Major Version : 15 >>>> Minor Version : 9600 >>>> Dump File Size : 281,520 >>>> Dump File Time : 27/07/2015 07:03:33 pm >>>> ================================================== >>>> >>>> ================================================== >>>> Dump File : 072715-32078-01.dmp >>>> Crash Time : 27/07/2015 06:47:01 pm >>>> Bug Check String : BAD_POOL_CALLER >>>> Bug Check Code : 0x000000c2 >>>> Parameter 1 : 00000000`00000099 >>>> Parameter 2 : ffffe000`7d4b31b8 >>>> Parameter 3 : 00000000`00000000 >>>> Parameter 4 : 00000000`00000000 >>>> Caused By Driver : tcpip.sys >>>> Caused By Address : tcpip.sys+42856 >>>> File Description : TCP/IP Driver >>>> Product Name : Microsoft® Windows® Operating System >>>> Company : Microsoft Corporation >>>> File Version : 6.3.9600.16384 (winblue_rtm.130821-1623) >>>> Processor : x64 >>>> Crash Address : ntoskrnl.exe+150ca0 >>>> Stack Address 1 : >>>> Stack Address 2 : >>>> Stack Address 3 : >>>> Computer Name : >>>> Full Path : C:\WINDOWS\Minidump\072715-32078-01.dmp >>>> Processors Count : 4 >>>> Major Version : 15 >>>> Minor Version : 9600 >>>> Dump File Size : 281,520 >>>> Dump File Time : 27/07/2015 06:48:04 pm >>>> ================================================== >>>> >>>> ================================================== >>>> Dump File : 072715-32468-01.dmp >>>> Crash Time : 27/07/2015 06:34:37 pm >>>> Bug Check String : SYSTEM_SERVICE_EXCEPTION >>>> Bug Check Code : 0x0000003b >>>> Parameter 1 : 00000000`c0000005 >>>> Parameter 2 : fffff801`962a446e >>>> Parameter 3 : ffffd001`1bd0f980 >>>> Parameter 4 : 00000000`00000000 >>>> Caused By Driver : ndis.sys >>>> Caused By Address : ndis.sys+546e >>>> File Description : Network Driver Interface Specification (NDIS) >>>> Product Name : Microsoft® Windows® Operating System >>>> Company : Microsoft Corporation >>>> File Version : 6.3.9600.16384 (winblue_rtm.130821-1623) >>>> Processor : x64 >>>> Crash Address : ntoskrnl.exe+150ca0 >>>> Stack Address 1 : >>>> Stack Address 2 : >>>> Stack Address 3 : >>>> Computer Name : >>>> Full Path : C:\WINDOWS\Minidump\072715-32468-01.dmp >>>> Processors Count : 4 >>>> Major Version : 15 >>>> Minor Version : 9600 >>>> Dump File Size : 281,520 >>>> Dump File Time : 27/07/2015 06:35:48 pm >>>> ================================================== >>>> >>>> ================================================== >>>> Dump File : 072715-33859-01.dmp >>>> Crash Time : 27/07/2015 05:11:25 pm >>>> Bug Check String : BAD_POOL_CALLER >>>> Bug Check Code : 0x000000c2 >>>> Parameter 1 : 00000000`00000007 >>>> Parameter 2 : 00000000`00001200 >>>> Parameter 3 : 00000000`00000000 >>>> Parameter 4 : ffffe000`8d01cbf8 >>>> Caused By Driver : ntoskrnl.exe >>>> Caused By Address : ntoskrnl.exe+150ca0 >>>> File Description : NT Kernel & System >>>> Product Name : Microsoft® Windows® Operating System >>>> Company : Microsoft Corporation >>>> File Version : 6.3.9600.17736 (winblue_r9.150322-1500) >>>> Processor : x64 >>>> Crash Address : ntoskrnl.exe+150ca0 >>>> Stack Address 1 : >>>> Stack Address 2 : >>>> Stack Address 3 : >>>> Computer Name : >>>> Full Path : C:\WINDOWS\Minidump\072715-33859-01.dmp >>>> Processors Count : 4 >>>> Major Version : 15 >>>> Minor Version : 9600 >>>> Dump File Size : 281,520 >>>> Dump File Time : 27/07/2015 05:12:34 pm >>>> ================================================== >>>> >>>> ================================================== >>>> Dump File : 072715-48062-01.dmp >>>> Crash Time : 27/07/2015 05:00:25 pm >>>> Bug Check String : BAD_POOL_CALLER >>>> Bug Check Code : 0x000000c2 >>>> Parameter 1 : 00000000`00000007 >>>> Parameter 2 : 00000000`00001200 >>>> Parameter 3 : 00000000`00000000 >>>> Parameter 4 : ffffe000`4bc1b4c8 >>>> Caused By Driver : ntoskrnl.exe >>>> Caused By Address : ntoskrnl.exe+150ca0 >>>> File Description : NT Kernel & System >>>> Product Name : Microsoft® Windows® Operating System >>>> Company : Microsoft Corporation >>>> File Version : 6.3.9600.17736 (winblue_r9.150322-1500) >>>> Processor : x64 >>>> Crash Address : ntoskrnl.exe+150ca0 >>>> Stack Address 1 : >>>> Stack Address 2 : >>>> Stack Address 3 : >>>> Computer Name : >>>> Full Path : C:\WINDOWS\Minidump\072715-48062-01.dmp >>>> Processors Count : 4 >>>> Major Version : 15 >>>> Minor Version : 9600 >>>> Dump File Size : 281,520 >>>> Dump File Time : 27/07/2015 05:01:58 pm >>>> ================================================== >>>> >>>> Frustratingly, since there are so many variables involved (unscientific >>>> method!), it seems like I'm playing a Jenga game with trying to make this >>>> work, since if I remove, or change something, it works for a little while, >>>> and then crashes in a creative, new way. (And I don't want to reinstall >>>> everything, since I don't have a disk big enough to back everything up). :( >>>> >>>> I've uploaded a copy of the Nurago Web Meter to >>>> https://dl.dropboxusercontent.com/u/670345/nurago%20web%20meter.exe, >>>> and I seem to also have an older installer for it in my "Downloads" >>>> directory, which may exercise the LSP architecture of WinSock differently. >>>> >>>> The SYSTEM_SERVICE_EXCEPTION error is interesting, as it is one of the >>>> few that reveals a problem in WinSock/NDIS... >>>> >>>> I would try it in a virtual machine - but it wouldn't get us any closer >>>> to diagnosing why it fails to work, with my not-so-unique configuration. >>>> >>>> Tyson. >>>> >>>> 2015-07-28 7:27 GMT+01:00 Yang Luo <hslu...@gmail.com>: >>>> >>>>> >>>>> >>>>> On Mon, Jul 27, 2015 at 10:42 PM, Tyson Key <tyson....@gmail.com> >>>>> wrote: >>>>> >>>>>> After rebooting from uninstalling MS NetMon, I restarted Wireshark, >>>>>> and got the usual "NPF service not running; no interfaces available" >>>>>> note. >>>>>> This persists, even if I try "NPFInstall -r", and Wireshark still claims >>>>>> that no interfaces are available. >>>>>> >>>>>> >>>>> "*NPFInstall -r*" isn't used in Npcap. "*NPF service not running; no >>>>> interfaces available*" is a common problem for Npcap previous >>>>> versions. And I think it should disappear if you have uninstalled previous >>>>> versions totally. >>>>> >>>>> >>>>>> Eventually, after uninstalling NPCap, removing all of the loopback >>>>>> interfaces, and running CCleaner to remove any residual registry data, >>>>>> and >>>>>> then rebooting yet again, I could start Wireshark, and list the installed >>>>>> interfaces - but unsurprisingly, a few moments later, I received another >>>>>> BSoD. >>>>>> >>>>>> If it helps, my Wireshark version is: >>>>>> >>>>>> Version 1.99.8-492-g3f0f49d (v1.99.8rc0-492-g3f0f49d from master) >>>>>> >>>>>> Copyright 1998-2015 Gerald Combs <ger...@wireshark.org> and >>>>>> contributors. >>>>>> License GPLv2+: GNU GPL version 2 or later < >>>>>> http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> >>>>>> This is free software; see the source for copying conditions. There >>>>>> is NO >>>>>> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR >>>>>> PURPOSE. >>>>>> >>>>>> Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.12.16, with Pango >>>>>> 1.36.8, with >>>>>> WinPcap (unknown), with libz 1.2.8, with GLib 2.42.0, with SMI 0.4.8, >>>>>> with >>>>>> c-ares 1.9.1, with Lua 5.2, with GnuTLS 3.2.15, with Gcrypt 1.6.2, >>>>>> with MIT >>>>>> Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 22 2015), >>>>>> with >>>>>> AirPcap. >>>>>> >>>>>> Running on 64-bit Windows 8.1, build 9600, with locale English_United >>>>>> Kingdom.1252, with Npcap version 0.01 (packet.dll version 0.03), >>>>>> based on >>>>>> WinPcap version 4.1.3 (packet.dll version 4.1.0.3001), based on >>>>>> libpcap version >>>>>> 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15, with Gcrypt >>>>>> 1.6.2, without >>>>>> AirPcap. >>>>>> AMD A6-5200 APU with Radeon(TM) HD Graphics (with SSE4.2), with >>>>>> 5577MB of >>>>>> physical memory. >>>>>> >>>>>> >>>>>> Built using Microsoft Visual C++ 12.0 build 31101 >>>>>> >>>>>> Wireshark is Open Source Software released under the GNU General >>>>>> Public License. >>>>>> >>>>>> Check the man page and http://www.wireshark.org for more information. >>>>>> >>>>> >>>>> I used Wireshark latest stable version: Version 1.12.6 >>>>> (v1.12.6-0-gee1fce6 from master-1.12). But I don't think it makes a >>>>> difference by using stable version or development version, as its WinPcap >>>>> related low-level code rarely changed between these two versions. >>>>> >>>>> >>>>>> >>>>>> Other than NetMon (which I've removed), the only other things that I >>>>>> think could be causing a conflict are either the VMware host-only >>>>>> networking filters; the networking components included with whatever >>>>>> Bluetooth stack Lenovo shipped; the massive pile of hacks installed by >>>>>> the >>>>>> Gacela component of "Nurago Web Meter", or my Atheros WLAN drivers (which >>>>>> caused Acrylic Wi-Fi's NDIS filters to crash, when I briefly had that >>>>>> installed, a while ago). >>>>>> >>>>> >>>>> What version VMware are you using? Workstation or just Player? I used >>>>> VMware Workstation 11.1.2 build-2780323 on my host, but I didn't install >>>>> it >>>>> on my test VM yet. >>>>> >>>>> >>>>> Cheers, >>>>> Yang >>>>> >>>>> >>>>> ___________________________________________________________________________ >>>>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >>>>> Archives: https://www.wireshark.org/lists/wireshark-dev >>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev >>>>> mailto:wireshark-dev-requ...@wireshark.org >>>>> ?subject=unsubscribe >>>>> >>>> >>>> >>>> >>>> -- >>>> Fight Internet Censorship! >>>> http://www.eff.org >>>> http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon | >>>> 00447934365844 >>>> >>> >>> >>> >>> -- >>> Fight Internet Censorship! >>> http://www.eff.org >>> http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon | >>> 00447934365844 >>> >>> >>> ___________________________________________________________________________ >>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >>> Archives: https://www.wireshark.org/lists/wireshark-dev >>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev >>> mailto:wireshark-dev-requ...@wireshark.org >>> ?subject=unsubscribe >>> >> >> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >> Archives: https://www.wireshark.org/lists/wireshark-dev >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev >> mailto:wireshark-dev-requ...@wireshark.org >> ?subject=unsubscribe >> > > > > -- > Fight Internet Censorship! > http://www.eff.org > http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon | > 00447934365844 > -- Fight Internet Censorship! http://www.eff.org http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon | 00447934365844
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe