Aah, I had a look at "Programs, and Features", and it says that the AppEx
thing is "AMD Quick Stream" 3.4.4.0, published by AppEx Networks, of
Beijing (http://www.appexnetworks.com.cn/). I found a marketing document
regarding it at
http://support.amd.com/en-us/kb-articles/Pages/AMDQuickStreamTechnology.aspx
.
Tyson.
2015-07-28 16:03 GMT+01:00 Tyson Key <tyson....@gmail.com>:
> Hi Yang,
>
> Thanks for looking at these dumps.
>
> Yup, I think I enabled the verifier, a few months ago, whilst trying to
> debug some other issue (probably related to the AppEx thing), and I forgot
> that I kept it enabled.
>
> As for the dumpcap arguments, I just let Wireshark invoke it, through the
> GUI - so the arguments are whatever it spits out by default, to set up
> various pipes. I'd have to surgically remove NPCap, and replace it with
> regular WinPCap, and then try to trace Wireshark Qt/GTK, to learn the
> arguments (or see if "tasklist /V", or some other utility reveals them).
> I'd expect that they'd look similar to the ones issued under Linux, modulo
> device names, though.
>
> I'm kinda surprised that Asset is responsible for some of the crashes, to
> be honest. Sure, it does funny things with multicasting, as a UPnP server
> implementation, but it's usually pretty reliable, in general operation.
> Might be worth me reporting a bug to Illustrate, when I get chance; and
> I'll see what happens if I uninstall it, in the meantime.
>
> As for AppEx, I'm pretty sure that I removed its driver from all of my
> interfaces, but I wouldn't be surprised if there's not something vestigial.
> Going to see if I can fully cleanse it from my system, since it was an
> OEM-supplied product, and not something that I opted to install. (And I've
> had BSoDs from it before, whilst trying to diagnose some WLAN problems). I
> think it's supposed to be some sort of "game/multimedia quality-of-service
> optimisation" tool.
>
> Take care,
>
> Tyson.
>
> 2015-07-28 12:41 GMT+01:00 Yang Luo <hslu...@gmail.com>:
>
>> Hi Tyson,
>>
>> I have analyzed the five dumps you provided:
>>
>> 1) 072715-32078-01.dmp
>> This dump is caused by nt!VerifierBugCheckIfAppropriate+0x3c code from
>> process svchost.exe, and it seems to be that you switched on Verifier
>> function for your system. I think there's no relationship with Npcap.
>>
>> 2) 072715-31968-01.dmp and 072715-32468-01.dmp
>> this dump provides BSoD about SYSTEM_SERVICE_EXCEPTION. It is caused
>> by ndis!NdisFOidRequest+62 code from process dumpcap.exe. As Npcap uses
>> NdisFOidRequest calls, I think it's possibly a bug. I'd like to know how
>> you used dumpcap.exe, like parameters?
>>
>> 3) 072715-33859-01.dmp and 072715-48062-01.dmp
>> It is caused by Asset-uPNP.exe, from Asset audio server software provided
>> by illustrate. I think maybe you would like to disable or uninstall it
>> first, to see if the fault still happens. WinDbg also reports
>> that OVERLAPPED_MODULE: Address regions for 'nwifi' and 'appexDrv.sys'
>> overlap. 'appexDrv.sys''s description is " "AppEx Accelerator LWF/WFP
>> Driver L.E."". nwifi.sys seems to be a Microsoft built-in component,
>> and AppEx Networks Accelerator seems to be a VPN software, unfortunately, I
>> didn't find a download link. But this is maybe not the main cause, whatever
>> you can try to shutdown it to see if there's any change.
>>
>> 072715-48062-01.dmp's report is pasted here:
>>
>>
>> *******************************************************************************
>> *
>> *
>> * Bugcheck Analysis
>> *
>> *
>> *
>>
>> *******************************************************************************
>>
>> Use !analyze -v to get detailed debugging information.
>>
>> BugCheck C2, {7, 1200, 0, ffffe0008d01cbf8}
>>
>> fffff80059152240: Unable to get special pool info
>> fffff80059152240: Unable to get special pool info
>> unable to get nt!MmPoolCodeStart
>> unable to get nt!MmPoolCodeEnd
>> Probably caused by : NETIO.SYS (
>> NETIO!NetioCompleteCloneNetBufferListChain+1508d )
>>
>> Followup: MachineOwner
>> ---------
>>
>> 0: kd> !analyze -v
>>
>> *******************************************************************************
>> *
>> *
>> * Bugcheck Analysis
>> *
>> *
>> *
>>
>> *******************************************************************************
>>
>> BAD_POOL_CALLER (c2)
>> The current thread is making a bad pool request. Typically this is at a
>> bad IRQL level or double freeing the same allocation, etc.
>> Arguments:
>> Arg1: 0000000000000007, Attempt to free pool which was already freed
>> Arg2: 0000000000001200, (reserved)
>> Arg3: 0000000000000000, Memory contents of the pool block
>> Arg4: ffffe0008d01cbf8, Address of the block of pool being deallocated
>>
>> Debugging Details:
>> ------------------
>>
>>
>> OVERLAPPED_MODULE: Address regions for 'nwifi' and 'appexDrv.sys' overlap
>>
>> POOL_ADDRESS: ffffe0008d01cbf8
>>
>> FREED_POOL_TAG: NDnd
>>
>> BUGCHECK_STR: 0xc2_7_NDnd
>>
>> CUSTOMER_CRASH_COUNT: 1
>>
>> DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
>>
>> PROCESS_NAME: Asset-uPNP.exe
>>
>> CURRENT_IRQL: 2
>>
>> LAST_CONTROL_TRANSFER: from fffff8005912fff2 to fffff80058fdbca0
>>
>> STACK_TEXT:
>> ffffd000`27118f88 fffff800`5912fff2 : 00000000`000000c2 00000000`00000007
>> 00000000`00001200 00000000`00000000 : nt!KeBugCheckEx
>> ffffd000`27118f90 fffff800`3763083d : 00000000`00000000 ffffe000`8d596040
>> 000008fe`00000010 00000014`00000000 : nt!ExAllocatePoolWithTag+0x1102
>> ffffd000`27119080 fffff800`376023f1 : 00000000`00000000 ffffe000`8ceb3740
>> 00000000`00000000 00000000`00000000 :
>> NETIO!NetioCompleteCloneNetBufferListChain+0x1508d
>> ffffd000`271190f0 00000000`00000000 : 00000000`00000000 00000000`00000000
>> 00000000`00000000 00000000`00000000 :
>> NETIO!NetioDereferenceNetBufferListChain+0x2d1
>>
>>
>> STACK_COMMAND: kb
>>
>> FOLLOWUP_IP:
>> NETIO!NetioCompleteCloneNetBufferListChain+1508d
>> fffff800`3763083d 90 nop
>>
>> SYMBOL_STACK_INDEX: 2
>>
>> SYMBOL_NAME: NETIO!NetioCompleteCloneNetBufferListChain+1508d
>>
>> FOLLOWUP_NAME: MachineOwner
>>
>> MODULE_NAME: NETIO
>>
>> IMAGE_NAME: NETIO.SYS
>>
>> DEBUG_FLR_IMAGE_TIMESTAMP: 540ebbe6
>>
>> FAILURE_BUCKET_ID:
>> X64_0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain+1508d
>>
>> BUCKET_ID:
>> X64_0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain+1508d
>>
>> Followup: MachineOwner
>> ---------
>>
>> On Tue, Jul 28, 2015 at 3:12 PM, Tyson Key <tyson....@gmail.com> wrote:
>>
>>> I just uploaded my MiniDumps to
>>> https://dl.dropboxusercontent.com/u/670345/MiniDump.rar, if it makes
>>> debugging this easier.
>>>
>>> Tyson.
>>>
>>> 2015-07-28 8:08 GMT+01:00 Tyson Key <tyson....@gmail.com>:
>>>
>>>> Hi Yang,
>>>>
>>>> Thanks for looking into this.
>>>>
>>>> I can't remember when/how I installed Win10PCap (guessing that I
>>>> briefly had a look, but couldn't get it to do anything on my machine, and
>>>> just removed it), but I'm using VMware Player 6.0.7 build-2844087 (haven't
>>>> got Workstation/Server installed); and I tried a dance of
>>>> upgrading/downgrading/upgrading my AR9485WB-EG WLAN driver (first by
>>>> downloading the package from
>>>> http://support.lenovo.com/us/en/downloads/ds032333, to take me from
>>>> 10.0.0.242, to 10.0.0.75; and then using Device Manager's driver update
>>>> function, to take me to 3.0.1.155 (which I'm guessing is probably older
>>>> than 242 - I'm just guessing from the sketchy build dates) - which gave me
>>>> a different type of BSoD, initially, after starting Wireshark, but let me
>>>> capture traffic for a little while, after rebooting.
>>>>
>>>> Here's all of the MiniDump summaries that I could find:
>>>>
>>>> ==================================================
>>>> Dump File : 072715-31968-01.dmp
>>>> Crash Time : 27/07/2015 07:02:32 pm
>>>> Bug Check String : SYSTEM_SERVICE_EXCEPTION
>>>> Bug Check Code : 0x0000003b
>>>> Parameter 1 : 00000000`c0000005
>>>> Parameter 2 : fffff801`1be5d485
>>>> Parameter 3 : ffffd000`2324e980
>>>> Parameter 4 : 00000000`00000000
>>>> Caused By Driver : ntoskrnl.exe
>>>> Caused By Address : ntoskrnl.exe+150ca0
>>>> File Description : NT Kernel & System
>>>> Product Name : Microsoft® Windows® Operating System
>>>> Company : Microsoft Corporation
>>>> File Version : 6.3.9600.17736 (winblue_r9.150322-1500)
>>>> Processor : x64
>>>> Crash Address : ntoskrnl.exe+150ca0
>>>> Stack Address 1 :
>>>> Stack Address 2 :
>>>> Stack Address 3 :
>>>> Computer Name :
>>>> Full Path : C:\WINDOWS\Minidump\072715-31968-01.dmp
>>>> Processors Count : 4
>>>> Major Version : 15
>>>> Minor Version : 9600
>>>> Dump File Size : 281,520
>>>> Dump File Time : 27/07/2015 07:03:33 pm
>>>> ==================================================
>>>>
>>>> ==================================================
>>>> Dump File : 072715-32078-01.dmp
>>>> Crash Time : 27/07/2015 06:47:01 pm
>>>> Bug Check String : BAD_POOL_CALLER
>>>> Bug Check Code : 0x000000c2
>>>> Parameter 1 : 00000000`00000099
>>>> Parameter 2 : ffffe000`7d4b31b8
>>>> Parameter 3 : 00000000`00000000
>>>> Parameter 4 : 00000000`00000000
>>>> Caused By Driver : tcpip.sys
>>>> Caused By Address : tcpip.sys+42856
>>>> File Description : TCP/IP Driver
>>>> Product Name : Microsoft® Windows® Operating System
>>>> Company : Microsoft Corporation
>>>> File Version : 6.3.9600.16384 (winblue_rtm.130821-1623)
>>>> Processor : x64
>>>> Crash Address : ntoskrnl.exe+150ca0
>>>> Stack Address 1 :
>>>> Stack Address 2 :
>>>> Stack Address 3 :
>>>> Computer Name :
>>>> Full Path : C:\WINDOWS\Minidump\072715-32078-01.dmp
>>>> Processors Count : 4
>>>> Major Version : 15
>>>> Minor Version : 9600
>>>> Dump File Size : 281,520
>>>> Dump File Time : 27/07/2015 06:48:04 pm
>>>> ==================================================
>>>>
>>>> ==================================================
>>>> Dump File : 072715-32468-01.dmp
>>>> Crash Time : 27/07/2015 06:34:37 pm
>>>> Bug Check String : SYSTEM_SERVICE_EXCEPTION
>>>> Bug Check Code : 0x0000003b
>>>> Parameter 1 : 00000000`c0000005
>>>> Parameter 2 : fffff801`962a446e
>>>> Parameter 3 : ffffd001`1bd0f980
>>>> Parameter 4 : 00000000`00000000
>>>> Caused By Driver : ndis.sys
>>>> Caused By Address : ndis.sys+546e
>>>> File Description : Network Driver Interface Specification (NDIS)
>>>> Product Name : Microsoft® Windows® Operating System
>>>> Company : Microsoft Corporation
>>>> File Version : 6.3.9600.16384 (winblue_rtm.130821-1623)
>>>> Processor : x64
>>>> Crash Address : ntoskrnl.exe+150ca0
>>>> Stack Address 1 :
>>>> Stack Address 2 :
>>>> Stack Address 3 :
>>>> Computer Name :
>>>> Full Path : C:\WINDOWS\Minidump\072715-32468-01.dmp
>>>> Processors Count : 4
>>>> Major Version : 15
>>>> Minor Version : 9600
>>>> Dump File Size : 281,520
>>>> Dump File Time : 27/07/2015 06:35:48 pm
>>>> ==================================================
>>>>
>>>> ==================================================
>>>> Dump File : 072715-33859-01.dmp
>>>> Crash Time : 27/07/2015 05:11:25 pm
>>>> Bug Check String : BAD_POOL_CALLER
>>>> Bug Check Code : 0x000000c2
>>>> Parameter 1 : 00000000`00000007
>>>> Parameter 2 : 00000000`00001200
>>>> Parameter 3 : 00000000`00000000
>>>> Parameter 4 : ffffe000`8d01cbf8
>>>> Caused By Driver : ntoskrnl.exe
>>>> Caused By Address : ntoskrnl.exe+150ca0
>>>> File Description : NT Kernel & System
>>>> Product Name : Microsoft® Windows® Operating System
>>>> Company : Microsoft Corporation
>>>> File Version : 6.3.9600.17736 (winblue_r9.150322-1500)
>>>> Processor : x64
>>>> Crash Address : ntoskrnl.exe+150ca0
>>>> Stack Address 1 :
>>>> Stack Address 2 :
>>>> Stack Address 3 :
>>>> Computer Name :
>>>> Full Path : C:\WINDOWS\Minidump\072715-33859-01.dmp
>>>> Processors Count : 4
>>>> Major Version : 15
>>>> Minor Version : 9600
>>>> Dump File Size : 281,520
>>>> Dump File Time : 27/07/2015 05:12:34 pm
>>>> ==================================================
>>>>
>>>> ==================================================
>>>> Dump File : 072715-48062-01.dmp
>>>> Crash Time : 27/07/2015 05:00:25 pm
>>>> Bug Check String : BAD_POOL_CALLER
>>>> Bug Check Code : 0x000000c2
>>>> Parameter 1 : 00000000`00000007
>>>> Parameter 2 : 00000000`00001200
>>>> Parameter 3 : 00000000`00000000
>>>> Parameter 4 : ffffe000`4bc1b4c8
>>>> Caused By Driver : ntoskrnl.exe
>>>> Caused By Address : ntoskrnl.exe+150ca0
>>>> File Description : NT Kernel & System
>>>> Product Name : Microsoft® Windows® Operating System
>>>> Company : Microsoft Corporation
>>>> File Version : 6.3.9600.17736 (winblue_r9.150322-1500)
>>>> Processor : x64
>>>> Crash Address : ntoskrnl.exe+150ca0
>>>> Stack Address 1 :
>>>> Stack Address 2 :
>>>> Stack Address 3 :
>>>> Computer Name :
>>>> Full Path : C:\WINDOWS\Minidump\072715-48062-01.dmp
>>>> Processors Count : 4
>>>> Major Version : 15
>>>> Minor Version : 9600
>>>> Dump File Size : 281,520
>>>> Dump File Time : 27/07/2015 05:01:58 pm
>>>> ==================================================
>>>>
>>>> Frustratingly, since there are so many variables involved (unscientific
>>>> method!), it seems like I'm playing a Jenga game with trying to make this
>>>> work, since if I remove, or change something, it works for a little while,
>>>> and then crashes in a creative, new way. (And I don't want to reinstall
>>>> everything, since I don't have a disk big enough to back everything up). :(
>>>>
>>>> I've uploaded a copy of the Nurago Web Meter to
>>>> https://dl.dropboxusercontent.com/u/670345/nurago%20web%20meter.exe,
>>>> and I seem to also have an older installer for it in my "Downloads"
>>>> directory, which may exercise the LSP architecture of WinSock differently.
>>>>
>>>> The SYSTEM_SERVICE_EXCEPTION error is interesting, as it is one of the
>>>> few that reveals a problem in WinSock/NDIS...
>>>>
>>>> I would try it in a virtual machine - but it wouldn't get us any closer
>>>> to diagnosing why it fails to work, with my not-so-unique configuration.
>>>>
>>>> Tyson.
>>>>
>>>> 2015-07-28 7:27 GMT+01:00 Yang Luo <hslu...@gmail.com>:
>>>>
>>>>>
>>>>>
>>>>> On Mon, Jul 27, 2015 at 10:42 PM, Tyson Key <tyson....@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> After rebooting from uninstalling MS NetMon, I restarted Wireshark,
>>>>>> and got the usual "NPF service not running; no interfaces available"
>>>>>> note.
>>>>>> This persists, even if I try "NPFInstall -r", and Wireshark still claims
>>>>>> that no interfaces are available.
>>>>>>
>>>>>>
>>>>> "*NPFInstall -r*" isn't used in Npcap. "*NPF service not running; no
>>>>> interfaces available*" is a common problem for Npcap previous
>>>>> versions. And I think it should disappear if you have uninstalled previous
>>>>> versions totally.
>>>>>
>>>>>
>>>>>> Eventually, after uninstalling NPCap, removing all of the loopback
>>>>>> interfaces, and running CCleaner to remove any residual registry data,
>>>>>> and
>>>>>> then rebooting yet again, I could start Wireshark, and list the installed
>>>>>> interfaces - but unsurprisingly, a few moments later, I received another
>>>>>> BSoD.
>>>>>>
>>>>>> If it helps, my Wireshark version is:
>>>>>>
>>>>>> Version 1.99.8-492-g3f0f49d (v1.99.8rc0-492-g3f0f49d from master)
>>>>>>
>>>>>> Copyright 1998-2015 Gerald Combs <ger...@wireshark.org> and
>>>>>> contributors.
>>>>>> License GPLv2+: GNU GPL version 2 or later <
>>>>>> http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
>>>>>> This is free software; see the source for copying conditions. There
>>>>>> is NO
>>>>>> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
>>>>>> PURPOSE.
>>>>>>
>>>>>> Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.12.16, with Pango
>>>>>> 1.36.8, with
>>>>>> WinPcap (unknown), with libz 1.2.8, with GLib 2.42.0, with SMI 0.4.8,
>>>>>> with
>>>>>> c-ares 1.9.1, with Lua 5.2, with GnuTLS 3.2.15, with Gcrypt 1.6.2,
>>>>>> with MIT
>>>>>> Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 22 2015),
>>>>>> with
>>>>>> AirPcap.
>>>>>>
>>>>>> Running on 64-bit Windows 8.1, build 9600, with locale English_United
>>>>>> Kingdom.1252, with Npcap version 0.01 (packet.dll version 0.03),
>>>>>> based on
>>>>>> WinPcap version 4.1.3 (packet.dll version 4.1.0.3001), based on
>>>>>> libpcap version
>>>>>> 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15, with Gcrypt
>>>>>> 1.6.2, without
>>>>>> AirPcap.
>>>>>> AMD A6-5200 APU with Radeon(TM) HD Graphics (with SSE4.2), with
>>>>>> 5577MB of
>>>>>> physical memory.
>>>>>>
>>>>>>
>>>>>> Built using Microsoft Visual C++ 12.0 build 31101
>>>>>>
>>>>>> Wireshark is Open Source Software released under the GNU General
>>>>>> Public License.
>>>>>>
>>>>>> Check the man page and http://www.wireshark.org for more information.
>>>>>>
>>>>>
>>>>> I used Wireshark latest stable version: Version 1.12.6
>>>>> (v1.12.6-0-gee1fce6 from master-1.12). But I don't think it makes a
>>>>> difference by using stable version or development version, as its WinPcap
>>>>> related low-level code rarely changed between these two versions.
>>>>>
>>>>>
>>>>>>
>>>>>> Other than NetMon (which I've removed), the only other things that I
>>>>>> think could be causing a conflict are either the VMware host-only
>>>>>> networking filters; the networking components included with whatever
>>>>>> Bluetooth stack Lenovo shipped; the massive pile of hacks installed by
>>>>>> the
>>>>>> Gacela component of "Nurago Web Meter", or my Atheros WLAN drivers (which
>>>>>> caused Acrylic Wi-Fi's NDIS filters to crash, when I briefly had that
>>>>>> installed, a while ago).
>>>>>>
>>>>>
>>>>> What version VMware are you using? Workstation or just Player? I used
>>>>> VMware Workstation 11.1.2 build-2780323 on my host, but I didn't install
>>>>> it
>>>>> on my test VM yet.
>>>>>
>>>>>
>>>>> Cheers,
>>>>> Yang
>>>>>
>>>>>
>>>>> ___________________________________________________________________________
>>>>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
>>>>> Archives: https://www.wireshark.org/lists/wireshark-dev
>>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>>>> mailto:wireshark-dev-requ...@wireshark.org
>>>>> ?subject=unsubscribe
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Fight Internet Censorship!
>>>> http://www.eff.org
>>>> http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
>>>> 00447934365844
>>>>
>>>
>>>
>>>
>>> --
>>> Fight Internet Censorship!
>>> http://www.eff.org
>>> http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
>>> 00447934365844
>>>
>>>
>>> ___________________________________________________________________________
>>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
>>> Archives: https://www.wireshark.org/lists/wireshark-dev
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>> mailto:wireshark-dev-requ...@wireshark.org
>>> ?subject=unsubscribe
>>>
>>
>>
>>
>> ___________________________________________________________________________
>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
>> Archives: https://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>> mailto:wireshark-dev-requ...@wireshark.org
>> ?subject=unsubscribe
>>
>
>
>
> --
> Fight Internet Censorship!
> http://www.eff.org
> http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
> 00447934365844
>
--
Fight Internet Censorship!
http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
00447934365844
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
