Hi Yang,
Thanks for looking at these dumps.
Yup, I think I enabled the verifier, a few months ago, whilst trying to
debug some other issue (probably related to the AppEx thing), and I forgot
that I kept it enabled.
As for the dumpcap arguments, I just let Wireshark invoke it, through the
GUI - so the arguments are whatever it spits out by default, to set up
various pipes. I'd have to surgically remove NPCap, and replace it with
regular WinPCap, and then try to trace Wireshark Qt/GTK, to learn the
arguments (or see if "tasklist /V", or some other utility reveals them).
I'd expect that they'd look similar to the ones issued under Linux, modulo
device names, though.
I'm kinda surprised that Asset is responsible for some of the crashes, to
be honest. Sure, it does funny things with multicasting, as a UPnP server
implementation, but it's usually pretty reliable, in general operation.
Might be worth me reporting a bug to Illustrate, when I get chance; and
I'll see what happens if I uninstall it, in the meantime.
As for AppEx, I'm pretty sure that I removed its driver from all of my
interfaces, but I wouldn't be surprised if there's not something vestigial.
Going to see if I can fully cleanse it from my system, since it was an
OEM-supplied product, and not something that I opted to install. (And I've
had BSoDs from it before, whilst trying to diagnose some WLAN problems). I
think it's supposed to be some sort of "game/multimedia quality-of-service
optimisation" tool.
Take care,
Tyson.
2015-07-28 12:41 GMT+01:00 Yang Luo <hslu...@gmail.com>:
> Hi Tyson,
>
> I have analyzed the five dumps you provided:
>
> 1) 072715-32078-01.dmp
> This dump is caused by nt!VerifierBugCheckIfAppropriate+0x3c code from
> process svchost.exe, and it seems to be that you switched on Verifier
> function for your system. I think there's no relationship with Npcap.
>
> 2) 072715-31968-01.dmp and 072715-32468-01.dmp
> this dump provides BSoD about SYSTEM_SERVICE_EXCEPTION. It is caused
> by ndis!NdisFOidRequest+62 code from process dumpcap.exe. As Npcap uses
> NdisFOidRequest calls, I think it's possibly a bug. I'd like to know how
> you used dumpcap.exe, like parameters?
>
> 3) 072715-33859-01.dmp and 072715-48062-01.dmp
> It is caused by Asset-uPNP.exe, from Asset audio server software provided
> by illustrate. I think maybe you would like to disable or uninstall it
> first, to see if the fault still happens. WinDbg also reports
> that OVERLAPPED_MODULE: Address regions for 'nwifi' and 'appexDrv.sys'
> overlap. 'appexDrv.sys''s description is " "AppEx Accelerator LWF/WFP
> Driver L.E."". nwifi.sys seems to be a Microsoft built-in component,
> and AppEx Networks Accelerator seems to be a VPN software, unfortunately, I
> didn't find a download link. But this is maybe not the main cause, whatever
> you can try to shutdown it to see if there's any change.
>
> 072715-48062-01.dmp's report is pasted here:
>
>
> *******************************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
> *******************************************************************************
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck C2, {7, 1200, 0, ffffe0008d01cbf8}
>
> fffff80059152240: Unable to get special pool info
> fffff80059152240: Unable to get special pool info
> unable to get nt!MmPoolCodeStart
> unable to get nt!MmPoolCodeEnd
> Probably caused by : NETIO.SYS (
> NETIO!NetioCompleteCloneNetBufferListChain+1508d )
>
> Followup: MachineOwner
> ---------
>
> 0: kd> !analyze -v
>
> *******************************************************************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
> *******************************************************************************
>
> BAD_POOL_CALLER (c2)
> The current thread is making a bad pool request. Typically this is at a
> bad IRQL level or double freeing the same allocation, etc.
> Arguments:
> Arg1: 0000000000000007, Attempt to free pool which was already freed
> Arg2: 0000000000001200, (reserved)
> Arg3: 0000000000000000, Memory contents of the pool block
> Arg4: ffffe0008d01cbf8, Address of the block of pool being deallocated
>
> Debugging Details:
> ------------------
>
>
> OVERLAPPED_MODULE: Address regions for 'nwifi' and 'appexDrv.sys' overlap
>
> POOL_ADDRESS: ffffe0008d01cbf8
>
> FREED_POOL_TAG: NDnd
>
> BUGCHECK_STR: 0xc2_7_NDnd
>
> CUSTOMER_CRASH_COUNT: 1
>
> DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
>
> PROCESS_NAME: Asset-uPNP.exe
>
> CURRENT_IRQL: 2
>
> LAST_CONTROL_TRANSFER: from fffff8005912fff2 to fffff80058fdbca0
>
> STACK_TEXT:
> ffffd000`27118f88 fffff800`5912fff2 : 00000000`000000c2 00000000`00000007
> 00000000`00001200 00000000`00000000 : nt!KeBugCheckEx
> ffffd000`27118f90 fffff800`3763083d : 00000000`00000000 ffffe000`8d596040
> 000008fe`00000010 00000014`00000000 : nt!ExAllocatePoolWithTag+0x1102
> ffffd000`27119080 fffff800`376023f1 : 00000000`00000000 ffffe000`8ceb3740
> 00000000`00000000 00000000`00000000 :
> NETIO!NetioCompleteCloneNetBufferListChain+0x1508d
> ffffd000`271190f0 00000000`00000000 : 00000000`00000000 00000000`00000000
> 00000000`00000000 00000000`00000000 :
> NETIO!NetioDereferenceNetBufferListChain+0x2d1
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> NETIO!NetioCompleteCloneNetBufferListChain+1508d
> fffff800`3763083d 90 nop
>
> SYMBOL_STACK_INDEX: 2
>
> SYMBOL_NAME: NETIO!NetioCompleteCloneNetBufferListChain+1508d
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: NETIO
>
> IMAGE_NAME: NETIO.SYS
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 540ebbe6
>
> FAILURE_BUCKET_ID:
> X64_0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain+1508d
>
> BUCKET_ID:
> X64_0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain+1508d
>
> Followup: MachineOwner
> ---------
>
> On Tue, Jul 28, 2015 at 3:12 PM, Tyson Key <tyson....@gmail.com> wrote:
>
>> I just uploaded my MiniDumps to
>> https://dl.dropboxusercontent.com/u/670345/MiniDump.rar, if it makes
>> debugging this easier.
>>
>> Tyson.
>>
>> 2015-07-28 8:08 GMT+01:00 Tyson Key <tyson....@gmail.com>:
>>
>>> Hi Yang,
>>>
>>> Thanks for looking into this.
>>>
>>> I can't remember when/how I installed Win10PCap (guessing that I briefly
>>> had a look, but couldn't get it to do anything on my machine, and just
>>> removed it), but I'm using VMware Player 6.0.7 build-2844087 (haven't got
>>> Workstation/Server installed); and I tried a dance of
>>> upgrading/downgrading/upgrading my AR9485WB-EG WLAN driver (first by
>>> downloading the package from
>>> http://support.lenovo.com/us/en/downloads/ds032333, to take me from
>>> 10.0.0.242, to 10.0.0.75; and then using Device Manager's driver update
>>> function, to take me to 3.0.1.155 (which I'm guessing is probably older
>>> than 242 - I'm just guessing from the sketchy build dates) - which gave me
>>> a different type of BSoD, initially, after starting Wireshark, but let me
>>> capture traffic for a little while, after rebooting.
>>>
>>> Here's all of the MiniDump summaries that I could find:
>>>
>>> ==================================================
>>> Dump File : 072715-31968-01.dmp
>>> Crash Time : 27/07/2015 07:02:32 pm
>>> Bug Check String : SYSTEM_SERVICE_EXCEPTION
>>> Bug Check Code : 0x0000003b
>>> Parameter 1 : 00000000`c0000005
>>> Parameter 2 : fffff801`1be5d485
>>> Parameter 3 : ffffd000`2324e980
>>> Parameter 4 : 00000000`00000000
>>> Caused By Driver : ntoskrnl.exe
>>> Caused By Address : ntoskrnl.exe+150ca0
>>> File Description : NT Kernel & System
>>> Product Name : Microsoft® Windows® Operating System
>>> Company : Microsoft Corporation
>>> File Version : 6.3.9600.17736 (winblue_r9.150322-1500)
>>> Processor : x64
>>> Crash Address : ntoskrnl.exe+150ca0
>>> Stack Address 1 :
>>> Stack Address 2 :
>>> Stack Address 3 :
>>> Computer Name :
>>> Full Path : C:\WINDOWS\Minidump\072715-31968-01.dmp
>>> Processors Count : 4
>>> Major Version : 15
>>> Minor Version : 9600
>>> Dump File Size : 281,520
>>> Dump File Time : 27/07/2015 07:03:33 pm
>>> ==================================================
>>>
>>> ==================================================
>>> Dump File : 072715-32078-01.dmp
>>> Crash Time : 27/07/2015 06:47:01 pm
>>> Bug Check String : BAD_POOL_CALLER
>>> Bug Check Code : 0x000000c2
>>> Parameter 1 : 00000000`00000099
>>> Parameter 2 : ffffe000`7d4b31b8
>>> Parameter 3 : 00000000`00000000
>>> Parameter 4 : 00000000`00000000
>>> Caused By Driver : tcpip.sys
>>> Caused By Address : tcpip.sys+42856
>>> File Description : TCP/IP Driver
>>> Product Name : Microsoft® Windows® Operating System
>>> Company : Microsoft Corporation
>>> File Version : 6.3.9600.16384 (winblue_rtm.130821-1623)
>>> Processor : x64
>>> Crash Address : ntoskrnl.exe+150ca0
>>> Stack Address 1 :
>>> Stack Address 2 :
>>> Stack Address 3 :
>>> Computer Name :
>>> Full Path : C:\WINDOWS\Minidump\072715-32078-01.dmp
>>> Processors Count : 4
>>> Major Version : 15
>>> Minor Version : 9600
>>> Dump File Size : 281,520
>>> Dump File Time : 27/07/2015 06:48:04 pm
>>> ==================================================
>>>
>>> ==================================================
>>> Dump File : 072715-32468-01.dmp
>>> Crash Time : 27/07/2015 06:34:37 pm
>>> Bug Check String : SYSTEM_SERVICE_EXCEPTION
>>> Bug Check Code : 0x0000003b
>>> Parameter 1 : 00000000`c0000005
>>> Parameter 2 : fffff801`962a446e
>>> Parameter 3 : ffffd001`1bd0f980
>>> Parameter 4 : 00000000`00000000
>>> Caused By Driver : ndis.sys
>>> Caused By Address : ndis.sys+546e
>>> File Description : Network Driver Interface Specification (NDIS)
>>> Product Name : Microsoft® Windows® Operating System
>>> Company : Microsoft Corporation
>>> File Version : 6.3.9600.16384 (winblue_rtm.130821-1623)
>>> Processor : x64
>>> Crash Address : ntoskrnl.exe+150ca0
>>> Stack Address 1 :
>>> Stack Address 2 :
>>> Stack Address 3 :
>>> Computer Name :
>>> Full Path : C:\WINDOWS\Minidump\072715-32468-01.dmp
>>> Processors Count : 4
>>> Major Version : 15
>>> Minor Version : 9600
>>> Dump File Size : 281,520
>>> Dump File Time : 27/07/2015 06:35:48 pm
>>> ==================================================
>>>
>>> ==================================================
>>> Dump File : 072715-33859-01.dmp
>>> Crash Time : 27/07/2015 05:11:25 pm
>>> Bug Check String : BAD_POOL_CALLER
>>> Bug Check Code : 0x000000c2
>>> Parameter 1 : 00000000`00000007
>>> Parameter 2 : 00000000`00001200
>>> Parameter 3 : 00000000`00000000
>>> Parameter 4 : ffffe000`8d01cbf8
>>> Caused By Driver : ntoskrnl.exe
>>> Caused By Address : ntoskrnl.exe+150ca0
>>> File Description : NT Kernel & System
>>> Product Name : Microsoft® Windows® Operating System
>>> Company : Microsoft Corporation
>>> File Version : 6.3.9600.17736 (winblue_r9.150322-1500)
>>> Processor : x64
>>> Crash Address : ntoskrnl.exe+150ca0
>>> Stack Address 1 :
>>> Stack Address 2 :
>>> Stack Address 3 :
>>> Computer Name :
>>> Full Path : C:\WINDOWS\Minidump\072715-33859-01.dmp
>>> Processors Count : 4
>>> Major Version : 15
>>> Minor Version : 9600
>>> Dump File Size : 281,520
>>> Dump File Time : 27/07/2015 05:12:34 pm
>>> ==================================================
>>>
>>> ==================================================
>>> Dump File : 072715-48062-01.dmp
>>> Crash Time : 27/07/2015 05:00:25 pm
>>> Bug Check String : BAD_POOL_CALLER
>>> Bug Check Code : 0x000000c2
>>> Parameter 1 : 00000000`00000007
>>> Parameter 2 : 00000000`00001200
>>> Parameter 3 : 00000000`00000000
>>> Parameter 4 : ffffe000`4bc1b4c8
>>> Caused By Driver : ntoskrnl.exe
>>> Caused By Address : ntoskrnl.exe+150ca0
>>> File Description : NT Kernel & System
>>> Product Name : Microsoft® Windows® Operating System
>>> Company : Microsoft Corporation
>>> File Version : 6.3.9600.17736 (winblue_r9.150322-1500)
>>> Processor : x64
>>> Crash Address : ntoskrnl.exe+150ca0
>>> Stack Address 1 :
>>> Stack Address 2 :
>>> Stack Address 3 :
>>> Computer Name :
>>> Full Path : C:\WINDOWS\Minidump\072715-48062-01.dmp
>>> Processors Count : 4
>>> Major Version : 15
>>> Minor Version : 9600
>>> Dump File Size : 281,520
>>> Dump File Time : 27/07/2015 05:01:58 pm
>>> ==================================================
>>>
>>> Frustratingly, since there are so many variables involved (unscientific
>>> method!), it seems like I'm playing a Jenga game with trying to make this
>>> work, since if I remove, or change something, it works for a little while,
>>> and then crashes in a creative, new way. (And I don't want to reinstall
>>> everything, since I don't have a disk big enough to back everything up). :(
>>>
>>> I've uploaded a copy of the Nurago Web Meter to
>>> https://dl.dropboxusercontent.com/u/670345/nurago%20web%20meter.exe,
>>> and I seem to also have an older installer for it in my "Downloads"
>>> directory, which may exercise the LSP architecture of WinSock differently.
>>>
>>> The SYSTEM_SERVICE_EXCEPTION error is interesting, as it is one of the
>>> few that reveals a problem in WinSock/NDIS...
>>>
>>> I would try it in a virtual machine - but it wouldn't get us any closer
>>> to diagnosing why it fails to work, with my not-so-unique configuration.
>>>
>>> Tyson.
>>>
>>> 2015-07-28 7:27 GMT+01:00 Yang Luo <hslu...@gmail.com>:
>>>
>>>>
>>>>
>>>> On Mon, Jul 27, 2015 at 10:42 PM, Tyson Key <tyson....@gmail.com>
>>>> wrote:
>>>>
>>>>> After rebooting from uninstalling MS NetMon, I restarted Wireshark,
>>>>> and got the usual "NPF service not running; no interfaces available" note.
>>>>> This persists, even if I try "NPFInstall -r", and Wireshark still claims
>>>>> that no interfaces are available.
>>>>>
>>>>>
>>>> "*NPFInstall -r*" isn't used in Npcap. "*NPF service not running; no
>>>> interfaces available*" is a common problem for Npcap previous
>>>> versions. And I think it should disappear if you have uninstalled previous
>>>> versions totally.
>>>>
>>>>
>>>>> Eventually, after uninstalling NPCap, removing all of the loopback
>>>>> interfaces, and running CCleaner to remove any residual registry data, and
>>>>> then rebooting yet again, I could start Wireshark, and list the installed
>>>>> interfaces - but unsurprisingly, a few moments later, I received another
>>>>> BSoD.
>>>>>
>>>>> If it helps, my Wireshark version is:
>>>>>
>>>>> Version 1.99.8-492-g3f0f49d (v1.99.8rc0-492-g3f0f49d from master)
>>>>>
>>>>> Copyright 1998-2015 Gerald Combs <ger...@wireshark.org> and
>>>>> contributors.
>>>>> License GPLv2+: GNU GPL version 2 or later <
>>>>> http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
>>>>> This is free software; see the source for copying conditions. There is
>>>>> NO
>>>>> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
>>>>> PURPOSE.
>>>>>
>>>>> Compiled (64-bit) with GTK+ 2.24.23, with Cairo 1.12.16, with Pango
>>>>> 1.36.8, with
>>>>> WinPcap (unknown), with libz 1.2.8, with GLib 2.42.0, with SMI 0.4.8,
>>>>> with
>>>>> c-ares 1.9.1, with Lua 5.2, with GnuTLS 3.2.15, with Gcrypt 1.6.2,
>>>>> with MIT
>>>>> Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 22 2015),
>>>>> with
>>>>> AirPcap.
>>>>>
>>>>> Running on 64-bit Windows 8.1, build 9600, with locale English_United
>>>>> Kingdom.1252, with Npcap version 0.01 (packet.dll version 0.03), based
>>>>> on
>>>>> WinPcap version 4.1.3 (packet.dll version 4.1.0.3001), based on
>>>>> libpcap version
>>>>> 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15, with Gcrypt
>>>>> 1.6.2, without
>>>>> AirPcap.
>>>>> AMD A6-5200 APU with Radeon(TM) HD Graphics (with SSE4.2), with
>>>>> 5577MB of
>>>>> physical memory.
>>>>>
>>>>>
>>>>> Built using Microsoft Visual C++ 12.0 build 31101
>>>>>
>>>>> Wireshark is Open Source Software released under the GNU General
>>>>> Public License.
>>>>>
>>>>> Check the man page and http://www.wireshark.org for more information.
>>>>>
>>>>
>>>> I used Wireshark latest stable version: Version 1.12.6
>>>> (v1.12.6-0-gee1fce6 from master-1.12). But I don't think it makes a
>>>> difference by using stable version or development version, as its WinPcap
>>>> related low-level code rarely changed between these two versions.
>>>>
>>>>
>>>>>
>>>>> Other than NetMon (which I've removed), the only other things that I
>>>>> think could be causing a conflict are either the VMware host-only
>>>>> networking filters; the networking components included with whatever
>>>>> Bluetooth stack Lenovo shipped; the massive pile of hacks installed by the
>>>>> Gacela component of "Nurago Web Meter", or my Atheros WLAN drivers (which
>>>>> caused Acrylic Wi-Fi's NDIS filters to crash, when I briefly had that
>>>>> installed, a while ago).
>>>>>
>>>>
>>>> What version VMware are you using? Workstation or just Player? I used
>>>> VMware Workstation 11.1.2 build-2780323 on my host, but I didn't install it
>>>> on my test VM yet.
>>>>
>>>>
>>>> Cheers,
>>>> Yang
>>>>
>>>>
>>>> ___________________________________________________________________________
>>>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
>>>> Archives: https://www.wireshark.org/lists/wireshark-dev
>>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>>> mailto:wireshark-dev-requ...@wireshark.org
>>>> ?subject=unsubscribe
>>>>
>>>
>>>
>>>
>>> --
>>> Fight Internet Censorship!
>>> http://www.eff.org
>>> http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
>>> 00447934365844
>>>
>>
>>
>>
>> --
>> Fight Internet Censorship!
>> http://www.eff.org
>> http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
>> 00447934365844
>>
>>
>> ___________________________________________________________________________
>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
>> Archives: https://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>> mailto:wireshark-dev-requ...@wireshark.org
>> ?subject=unsubscribe
>>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-requ...@wireshark.org
> ?subject=unsubscribe
>
--
Fight Internet Censorship!
http://www.eff.org
http://vmlemon.wordpress.com | Twitter/FriendFeed/Skype: vmlemon |
00447934365844
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
