bsod after login

[darkassain]

The crashes which happened after Avast was removed would be interesting to analyse.

I'm also not seeing the obvious link to 2xexplorer. Unless it's injected its own k-mode driver, it's just an app. Doesn't matter if it's as old as the hills - it's just user-mode code. If it did somehow manage to cause a bugcheck, that would constitute a bug in the OS.

you bring up a good point H2SO4
although i havent seen xplorer² load anything in Ring-0 though...
its mostly all user-mode code like you said and the worst i can do is crash itself (well maybe it can do worse things but like you said again it did bsod it would technically be a OS bug (or like i said if it was acessing a network share then it would be a driver issue) as its not running in either Ring 0-2..)
i would actually like to see which update he is talking about as i have a customer with a similiar laptop model and i have not heard any news of any errors (also configured with avast)

 

[jcgriff2]

I agree with both of you.

It would not be a kernel mode app. "2002" in a 2008/9 SP1 system just looked odd. I do believe it will cross paths with ?? and result in appcrash/ hang soon enough. OP is x86, so it is most likely OK for now. It would be fooled, of course, in x64 virtualized world.

ZoneAlarm not found in stack text, yet I assume it contributed to BSODs based on the 0xc0000005 exceptions found in WERCON. I do think it caused those.

I don't know what would account for the 0x80000003 exception. Unless injection of ???

 

[darkassain]

Hi -

Thank you.

I asked for msinfo32 b/c I like to review the WERCON portion of Software Environment to see appcrashes/ hangs.

WERCON showed this Explorer crash w/ ntdll.dll - but a 0x80000003 exception. To me, that indicates a checked-build. But of what? Both MS modules have the tell-tale SP1 timestamp of Jan 19 2008 and the correct version number for SP1.

[FONT=lucida console]3/15/2009 1:48 AM       Application Error       Faulting application Explorer.EXE, version 6.0.6001.18000, [/FONT]
[FONT=lucida console]time stamp 0x47918e5d, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a7a6, [/FONT]
[FONT=lucida console]exception code [B]0x80000003[/B][/FONT]

So, no - I found no direct 2explorer.exe tie to BSOD - just the 2002 date.

I just noticed while copying the above out, the presence of a BSOD-causing giant -

[FONT=lucida console][B][SIZE=3][COLOR=red]ZoneAlarm[/COLOR][/SIZE][/B][/FONT]
[FONT=lucida console][SIZE=3]vsdatant.sys Thu Nov 13 18:15:52 2008 (491CB528)[/SIZE][/FONT]

@ darkassain - un-install ZoneAlarm. Otherwise, you will be back for additional BSODs in the near future.

Regards. . .

jcgriff2

.
@ H2SO4 - I really like your how-to on crash dump analysis.
I refer many to them.

I also agree on not seeing Avast in stack text. The purpose of Driver Verifier.

.

i believe you directing it to jcgriff2 this correct?
because if you are not then im confused....

 

[jcgriff2]

My apologies.

Most of my post intended for H2SO4.

"ZoneAlarm un-install" meant for OP JimJoe

 

[darkassain]

I agree with both of you.

It would not be a kernel mode app. "2002" in a 2008/9 SP1 system just looked odd. I do believe it will cross paths with ?? and result in appcrash/ hang soon enough. OP is x86, so it is most likely OK for now. It would be fooled, of course, in x64 virtualized world.

ZoneAlarm not found in stack text, yet I assume it contributed to BSODs based on the 0xc0000005 exceptions found in WERCON. I do think it caused those.

I don't know what would account for the 0x80000003 exception. Unless injection of ???

im guesing since zonealarm gave a appcrash i believe it would be the injection of the zonealarm firewall kernel driver (which does run in ring-0)
which means that the firewall driver might be the cause of this...

My apologies.

Most of my post intended for H2SO4.

"ZoneAlarm un-install" meant for OP JimJoe

it happens all the time...
well it does happen often (at least to me..)

 

[jcgriff2]

Thank you.

I myself only came by 0x8...3 a handful of times during recent BSODs. I have seen many BSODs with the checked-build exception in the past, but most of them turned out to be just that - a checked build of Vista or XP.

 

[H2SO4]

@ H2SO4 - I really like your how-to on crash dump analysis.
I refer many to them.

The nicest thing anyone said to me all day. Now I feel obligated to go fix it up

I can't tell where that hard breakpoint in the OP's Explorer crash is coming from, but I cannot link it to the BSoD at this point. As you said, this looks like a networking SNAFU...

0: kd> .trap 8af6794c
ErrCode = 00000002
eax=00000000 ebx=884675f8 ecx=00000000 edx=00000000 esi=8af679fc edi=00000000
eip=821c2ede esp=8af679c0 ebp=8af679d0 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
hal!KeAcquireSpinLockRaiseToSynch+0xe:
821c2ede f00fba2900 lock bts dword ptr [ecx],0 ds:0023:00000000=????????

0: kd> uf .
hal!KeAcquireSpinLockRaiseToSynch:
821c2ed0 64a124000000 mov eax,dword ptr fs:[00000024h] // TLS
821c2ed6 64c605240000001b mov byte ptr fs:[24h],1Bh
hal!KeAcquireSpinLockRaiseToSynch+0xe:
821c2ede f00fba2900 lock bts dword ptr [ecx],0 // <<< boom!, ECX = 0
821c2ee3 7201 jb hal!KeAcquireSpinLockRaiseToSynch+0x16 (821c2ee6)

0: kd> ub 8a279dc6
tcpip!TcpIoControlEndpoint+0x95:
8a279dab ff36 push dword ptr [esi]
8a279dad ff7508 push dword ptr [ebp+8]
8a279db0 e88ca30400 call tcpip!TcpSetSecurityEndpoint (8a2c4141)
8a279db5 e9cd000000 jmp tcpip!TcpIoControlEndpoint+0x171 (8a279e87)
8a279dba 8b7d08 mov edi,dword ptr [ebp+8] // EDI from first arg to tcpip!TcpIoControlEndpoint
8a279dbd 53 push ebx
8a279dbe 8bcf mov ecx,edi // ECX comes from EDI ^^^, both null at crash time
8a279dc0 ff15d4462f8a call dword ptr [tcpip!_imp_KfAcquireSpinLock (8a2f46d4)]

0: kd> ub 8a2797b5 L5
tcpip!TcpTlEndpointIoControlEndpoint+0x71:
8a2797a5 e840090000 call tcpip!TcpSetSockOptEndpoint (8a27a0ea)
8a2797aa eb09 jmp tcpip!TcpTlEndpointIoControlEndpoint+0x81 (8a2797b5)
8a2797ac 50 push eax
8a2797ad ff7508 push dword ptr [ebp+8] // bad arg simply beingpassed onwards
8a2797b0 e861050000 call tcpip!TcpIoControlEndpoint (8a279d16)

0: kd> ub 8ecfd200 L10
tdx!TdxIssueQueryAddressRequest+0x1ca:
...
8ecfd1e4 8b5dfc mov ebx,dword ptr [ebp-4] // the first local is a struct
8ecfd1e7 8b832c010000 mov eax,dword ptr [ebx+12Ch]
8ecfd1ed 85c0 test eax,eax
8ecfd1ef ffb328010000 push dword ptr [ebx+128h] // <<< the NULL is at offset 0x128
8ecfd1f5 7506 jne tdx!TdxIssueQueryAddressRequest+0x1ff (8ecfd1fd)
8ecfd1f7 8b8330010000 mov eax,dword ptr [ebx+130h]
8ecfd1fd ff5004 call dword ptr [eax+4] // tcpip!TcpTlEndpointIoControlEndpoint


The first local in TdxIssueQueryAddressRequest is a struct with a null member at +0x128. I think that's what leads to the crash, but I'm zonked and mistakes in disassembly are likely

If the worker thread crashes the same way in the absence of the Avast filters, ZA, and with an updated NIC driver, this would get really interesting to troubleshoot.

 

[JimJoe]

No bsod after I got rid of avast. I went back to AVG free.

 

[JimJoe]

Looks like no more problems. How do I mark this resolved ?